block/ssh.c | 133 ++++++++++++++++++++++++++++++++++- block/trace-events | 2 + docs/qemu-block-drivers.texi | 15 +++- qapi/block-core.json | 13 +++- tests/qemu-iotests/207.out | 2 +- 5 files changed, 158 insertions(+), 7 deletions(-)
These two patches add the password and private key authentication methods to the ssh block driver, using secure objects for passwords/passphrases. Pino Toscano (2): ssh: implement password authentication ssh: implement private key authentication block/ssh.c | 133 ++++++++++++++++++++++++++++++++++- block/trace-events | 2 + docs/qemu-block-drivers.texi | 15 +++- qapi/block-core.json | 13 +++- tests/qemu-iotests/207.out | 2 +- 5 files changed, 158 insertions(+), 7 deletions(-) -- 2.21.0
On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> These two patches add the password and private key authentication
> methods to the ssh block driver, using secure objects for
> passwords/passphrases.
I was attempting to test this but couldn't work out the full command
line to use it (with qemu-img). I got as far as:
$ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
I guess the secret should be specified using --object, but at that
point I gave up.
Could do with documentation, even if merely in the commit message or a
blog post.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > These two patches add the password and private key authentication
> > methods to the ssh block driver, using secure objects for
> > passwords/passphrases.
>
> I was attempting to test this but couldn't work out the full command
> line to use it (with qemu-img). I got as far as:
>
> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
>
> I guess the secret should be specified using --object, but at that
> point I gave up.
Almost there :) add e.g.
--object 'secret,id=sec0,file=passwd'
as parameter for the convert command (so after it, not before), and then
set 'sec0' as value for file.password-secret. Of course 'sec0' is
arbitrary, any other QEMU id will do.
A long helpful comment in include/crypto/secret.h explains the basics
of the crypto objects.
--
Pino Toscano
On 7/26/19 9:45 AM, Pino Toscano wrote:
> On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
>> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
>>> These two patches add the password and private key authentication
>>> methods to the ssh block driver, using secure objects for
>>> passwords/passphrases.
>>
>> I was attempting to test this but couldn't work out the full command
>> line to use it (with qemu-img). I got as far as:
>>
>> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
>>
>> I guess the secret should be specified using --object, but at that
>> point I gave up.
>
> Almost there :) add e.g.
> --object 'secret,id=sec0,file=passwd'
> as parameter for the convert command (so after it, not before), and then
> set 'sec0' as value for file.password-secret. Of course 'sec0' is
> arbitrary, any other QEMU id will do.
>
> A long helpful comment in include/crypto/secret.h explains the basics
> of the crypto objects.
That is useful information, but even more useful if you amend the commit
message to include a working example command line rather than making
readers chase down the docs :)
Untested, but piecing together what I know from my work on qemu-nbd
encryption, it seems like this should be a starting point for such a
command:
qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
/var/tmp/copy
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
On Fri, Jul 26, 2019 at 10:06:43AM -0500, Eric Blake wrote:
> On 7/26/19 9:45 AM, Pino Toscano wrote:
> > On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> >> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> >>> These two patches add the password and private key authentication
> >>> methods to the ssh block driver, using secure objects for
> >>> passwords/passphrases.
> >>
> >> I was attempting to test this but couldn't work out the full command
> >> line to use it (with qemu-img). I got as far as:
> >>
> >> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> >>
> >> I guess the secret should be specified using --object, but at that
> >> point I gave up.
> >
> > Almost there :) add e.g.
> > --object 'secret,id=sec0,file=passwd'
> > as parameter for the convert command (so after it, not before), and then
> > set 'sec0' as value for file.password-secret. Of course 'sec0' is
> > arbitrary, any other QEMU id will do.
> >
> > A long helpful comment in include/crypto/secret.h explains the basics
> > of the crypto objects.
>
> That is useful information, but even more useful if you amend the commit
> message to include a working example command line rather than making
> readers chase down the docs :)
>
> Untested, but piecing together what I know from my work on qemu-nbd
> encryption, it seems like this should be a starting point for such a
> command:
>
> qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
> driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
> /var/tmp/copy
--imageopts isn't necessary. This was the command that worked for me:
unset SSH_AUTH_SOCK; ./qemu-img convert -p --object 'secret,id=sec0,file=/tmp/passwd' 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "sec0" }' /var/tmp/root
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
On Fri, Jul 26, 2019 at 04:35:27PM +0100, Richard W.M. Jones wrote:
> On Fri, Jul 26, 2019 at 10:06:43AM -0500, Eric Blake wrote:
> > On 7/26/19 9:45 AM, Pino Toscano wrote:
> > > On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> > >> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > >>> These two patches add the password and private key authentication
> > >>> methods to the ssh block driver, using secure objects for
> > >>> passwords/passphrases.
> > >>
> > >> I was attempting to test this but couldn't work out the full command
> > >> line to use it (with qemu-img). I got as far as:
> > >>
> > >> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> > >>
> > >> I guess the secret should be specified using --object, but at that
> > >> point I gave up.
> > >
> > > Almost there :) add e.g.
> > > --object 'secret,id=sec0,file=passwd'
> > > as parameter for the convert command (so after it, not before), and then
> > > set 'sec0' as value for file.password-secret. Of course 'sec0' is
> > > arbitrary, any other QEMU id will do.
> > >
> > > A long helpful comment in include/crypto/secret.h explains the basics
> > > of the crypto objects.
> >
> > That is useful information, but even more useful if you amend the commit
> > message to include a working example command line rather than making
> > readers chase down the docs :)
> >
> > Untested, but piecing together what I know from my work on qemu-nbd
> > encryption, it seems like this should be a starting point for such a
> > command:
> >
> > qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
> > driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
> > /var/tmp/copy
>
> --imageopts isn't necessary. This was the command that worked for me:
>
> unset SSH_AUTH_SOCK; ./qemu-img convert -p --object 'secret,id=sec0,file=/tmp/passwd' 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "sec0" }' /var/tmp/root
Right you didn't need --imageopts because you used the json filename
syntax.
--imageopts is for telling it to intepret the filename as key,value pairs
as in Eric's example.
json & imageopts syntaxes are equally expressive, so pick which you
prefer.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Fri, Jul 26, 2019 at 04:45:03PM +0200, Pino Toscano wrote:
> On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> > On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > > These two patches add the password and private key authentication
> > > methods to the ssh block driver, using secure objects for
> > > passwords/passphrases.
> >
> > I was attempting to test this but couldn't work out the full command
> > line to use it (with qemu-img). I got as far as:
> >
> > $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> >
> > I guess the secret should be specified using --object, but at that
> > point I gave up.
>
> Almost there :) add e.g.
> --object 'secret,id=sec0,file=passwd'
> as parameter for the convert command (so after it, not before), and then
> set 'sec0' as value for file.password-secret. Of course 'sec0' is
> arbitrary, any other QEMU id will do.
>
> A long helpful comment in include/crypto/secret.h explains the basics
> of the crypto objects.
OK, the password part of this patch does work, so:
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html
© 2016 - 2026 Red Hat, Inc.