From nobody Thu May 2 13:44:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1579625253; cv=none; d=zohomail.com; s=zohoarc; b=R8n2fRWLF5bVm6fGbUhp5PECva+nwW1rrKI2Bm4GdjoTq9C9bZoR07n50uaW87o6L16AkWtvILvmeJ2AZIBl9H+s1bJtetZncQDaSiu/UPFoh8dA8QA1OnmJI+y2Yh6epIgro5JJbkig0IeqTudZlG5SGgFFZtnAf1+p6CM4fpM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1579625253; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=tYdr3olyo0tJwRG1UcdVtAal1cB43yLJfr9cfOVmWf8=; b=OQMsKm0uB79MzaQgsEsEvOrcZH4X8pIa4gqT1serjJYVqbTaqIf6PBh0YW/luymho2t3GVBCiiZrOnJ/9UV1pFfAPEQh5MxKjl5jbN1OZhGfnH6eUAYS/Ivu/0+ITh5w/BvhJN+2KYdRjks0Av/TuWr7mPjh3PfsZGgHm2gzi+w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1579625253004875.4391849453364; Tue, 21 Jan 2020 08:47:33 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-6-f5XUSQqoOI-Q1LBMP_JawQ-1; Tue, 21 Jan 2020 11:47:28 -0500 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4F00EA3165; Tue, 21 Jan 2020 16:47:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 17DC98BE2D; Tue, 21 Jan 2020 16:47:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 95051180880C; Tue, 21 Jan 2020 16:47:21 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 00LGlIEr031177 for ; Tue, 21 Jan 2020 11:47:18 -0500 Received: by smtp.corp.redhat.com (Postfix) id E937C1001B2C; Tue, 21 Jan 2020 16:47:18 +0000 (UTC) Received: from ridgehead.redhat.com (ovpn-204-18.brq.redhat.com [10.40.204.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3AB3110013A7; Tue, 21 Jan 2020 16:47:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1579625251; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=tYdr3olyo0tJwRG1UcdVtAal1cB43yLJfr9cfOVmWf8=; b=GkpaXsSr04ZJPEDA6etOqzKRFatBNnmikkz7Bz/FUJYz8bkvchdLUBJzHBux7zTtjScowr cPidRtssv6DyOJ2ru7er8oicSjnTCCqsM4oEEoapID1XAHZnZYw1PG+Uztw2/MSBHSEA5K I2dhxVV8mRQH0MzCaPqTdOVvMavq6s8= From: Erik Skultety To: libvir-list@redhat.com Subject: [libvirt-tck PATCH 1/2] lib: TCK.pm: Favour pubkey auth over passwords on SSH connections Date: Tue, 21 Jan 2020 17:47:16 +0100 Message-Id: <20620fdc44e7badad31bd834767a2f415907693a.1579625223.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Erik Skultety X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-MC-Unique: f5XUSQqoOI-Q1LBMP_JawQ-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" The reason for this change is our Fedora 31 test image, because starting with Fedora 31, the SSH policy for root logins with password authentication changed and password auth is now disabled by default. Since we were relying on this, we're now unable to log in to the guest as root. Let's convert to the SSH keys usage. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- lib/Sys/Virt/TCK.pm | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm index a641d01..5a5c9e4 100644 --- a/lib/Sys/Virt/TCK.pm +++ b/lib/Sys/Virt/TCK.pm @@ -408,6 +408,32 @@ sub has_disk_image { return -f $target } =20 +sub ssh_key_path { + my $self =3D shift; + my $basedir =3D shift; + + return catfile($basedir, "ssh", "id_rsa"); +} + +sub create_host_ssh_keys { + my $self =3D shift; + + my $scratch =3D $self->scratch_dir; + my $ssh_dir_path =3D catfile($scratch, "ssh"); + my $ssh_key_path =3D $self->ssh_key_path($scratch); + + if (! -d "$ssh_dir_path") { + mkdir "$ssh_dir_path", 0700; + } + + if (! -e "$ssh_key_path") { + print "# generating a new SSH RSA key pair under $ssh_dir_path\n"; + system "ssh-keygen -q -t rsa -f $ssh_key_path -N ''"; + } + + return $ssh_key_path; +} + sub create_virt_builder_disk { my $self =3D shift; my $bucket =3D shift; @@ -424,8 +450,10 @@ sub create_virt_builder_disk { return $target; } =20 + my $ssh_key_path =3D $self->create_host_ssh_keys; + print "# running virt-builder $osname\n"; - system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--= root-password", "password:$password", "--output", $target, $osname; + system "virt-builder", "--install", "dsniff", "--selinux-relabel", "--= root-password", "password:$password", "--ssh-inject", "root:file:$ssh_key_p= ath.pub", "--output", $target, $osname; =20 die "cannot run virt-builder: $?" if $? !=3D 0; =20 --=20 2.24.1 From nobody Thu May 2 13:44:49 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) client-ip=205.139.110.120; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1579625268; cv=none; d=zohomail.com; s=zohoarc; b=fKWVntGD19M/+kij7G0UcfW6ezVLb5hROppQ1r0fYboSe15SztJ0DsMxUmy+6RLh5G9/eHOu2Pcm0cQlquiA3tBQl5ERjtxoopu37Cj/5rBSV7phCKoFXUDgsM5N+GbmVXTvt9zCu7R9Yfo//dCj5sAkveE6TwhC5RM86WHuOo0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1579625268; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7ZKt572IR8amKqMRHoh8pwbv143Re6Ssdd3jk87Mbmc=; b=WI/PaUdQ8/W2i/JekLNWvUL40C9WUeGkLCrEgoMgter0+ir7HJnpImIySGSkHZiIVol8KeSFejfIWRZZwM6Tr2diLGBEL2NNEBsgQeUgAYKC9MX5jKFmFy3oLxu1GPBA81KxeV2XRe5uexDgfZYFUP5NPXtWImLfbL1RR0RlWmE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by mx.zohomail.com with SMTPS id 1579625268637469.6635954980271; Tue, 21 Jan 2020 08:47:48 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-210-vr7AMfISOJiP56k5Gkk-9Q-1; Tue, 21 Jan 2020 11:47:42 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4B8FE1074FB2; Tue, 21 Jan 2020 16:47:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1886885781; Tue, 21 Jan 2020 16:47:36 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CC0D48197B; Tue, 21 Jan 2020 16:47:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 00LGlKhY031189 for ; Tue, 21 Jan 2020 11:47:20 -0500 Received: by smtp.corp.redhat.com (Postfix) id 0700C1001B2C; Tue, 21 Jan 2020 16:47:20 +0000 (UTC) Received: from ridgehead.redhat.com (ovpn-204-18.brq.redhat.com [10.40.204.18]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4AC2410013A7; Tue, 21 Jan 2020 16:47:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1579625267; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7ZKt572IR8amKqMRHoh8pwbv143Re6Ssdd3jk87Mbmc=; b=LA5ef6NIUWVtWC1wGQtPKTfJGMtwS+7A+xdeOdk6mvs183TSJ833vO5zn+uzlkncqOZR4G UHNlPcHEeuK+Qcn6BommYY0/pX/s9fA6ki3p/FrDq/meesjuU5u5iJvKxAdAICWIj+uAO/ RBffpdGzdO9wiWf3Jq3pd3Z28s5A9yA= From: Erik Skultety To: libvir-list@redhat.com Subject: [libvirt-tck PATCH 2/2] nwfilter: Make use of the SSH pubkey auth rather than password-based auth Date: Tue, 21 Jan 2020 17:47:17 +0100 Message-Id: <2f6692b63e8fff0002f5e419fa37804ab1031cc4.1579625223.git.eskultet@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Cc: Erik Skultety X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-MC-Unique: vr7AMfISOJiP56k5Gkk-9Q-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Not only have SSH keys been a good practice for a while, it fixes our SSH connections to the f31 test vm. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrang=C3=A9 --- scripts/nwfilter/210-no-mac-spoofing.t | 2 +- scripts/nwfilter/220-no-ip-spoofing.t | 2 +- scripts/nwfilter/230-no-mac-broadcast.t | 2 +- scripts/nwfilter/240-no-arp-spoofing.t | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/nwfilter/210-no-mac-spoofing.t b/scripts/nwfilter/210-= no-mac-spoofing.t index 95f003a..9798c4f 100644 --- a/scripts/nwfilter/210-no-mac-spoofing.t +++ b/scripts/nwfilter/210-no-mac-spoofing.t @@ -95,7 +95,7 @@ ok($ping =3D~ "10 received", "ping $guestip test"); diag "ssh'ing into $guestip"; my $ssh =3D Net::OpenSSH->new($guestip, user =3D> "root", - password =3D> $tck->root_password(), + key_path =3D> $tck->ssh_key_path($tck->scratch_dir()), master_opts =3D> [-o =3D> "UserKnownHostsFile= =3D/dev/null", -o =3D> "StrictHostKeyChecking= =3Dno"]); =20 diff --git a/scripts/nwfilter/220-no-ip-spoofing.t b/scripts/nwfilter/220-n= o-ip-spoofing.t index bacb861..9615d99 100644 --- a/scripts/nwfilter/220-no-ip-spoofing.t +++ b/scripts/nwfilter/220-no-ip-spoofing.t @@ -89,7 +89,7 @@ ok($ebtable =3D~ "$guestip", "check ebtables entry"); diag "ssh'ing into $guestip"; my $ssh =3D Net::OpenSSH->new($guestip, user =3D> "root", - password =3D> $tck->root_password(), + key_path =3D> $tck->ssh_key_path($tck->scratch_dir()), master_opts =3D> [-o =3D> "UserKnownHostsFile= =3D/dev/null", -o =3D> "StrictHostKeyChecking= =3Dno"]); =20 diff --git a/scripts/nwfilter/230-no-mac-broadcast.t b/scripts/nwfilter/230= -no-mac-broadcast.t index b518a81..59683fa 100644 --- a/scripts/nwfilter/230-no-mac-broadcast.t +++ b/scripts/nwfilter/230-no-mac-broadcast.t @@ -117,7 +117,7 @@ system("/usr/sbin/tcpdump -v -i virbr0 -n host $network= ipbroadcast and ether hos diag "ssh'ing into $guestip"; my $ssh =3D Net::OpenSSH->new($guestip, user =3D> "root", - password =3D> $tck->root_password(), + key_path =3D> $tck->ssh_key_path($tck->scratch_dir()), master_opts =3D> [-o =3D> "UserKnownHostsFile= =3D/dev/null", -o =3D> "StrictHostKeyCheckin= g=3Dno"]); =20 diff --git a/scripts/nwfilter/240-no-arp-spoofing.t b/scripts/nwfilter/240-= no-arp-spoofing.t index 77b36d2..2c860ed 100644 --- a/scripts/nwfilter/240-no-arp-spoofing.t +++ b/scripts/nwfilter/240-no-arp-spoofing.t @@ -98,7 +98,7 @@ system("/usr/sbin/tcpdump -v -i virbr0 not ip > /tmp/tcp= dump.log &"); diag "ssh'ing into $guestip"; my $ssh =3D Net::OpenSSH->new($guestip, user =3D> "root", - password =3D> $tck->root_password(), + key_path =3D> $tck->ssh_key_path($tck->scratch_dir()), master_opts =3D> [-o =3D> "UserKnownHostsFile= =3D/dev/null", -o =3D> "StrictHostKeyChecking= =3Dno"]); =20 --=20 2.24.1