[PATCH v5 5/7] remote: expose a new libssh transport

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Implement in virtNetClient and VirNetSocket the needed functions to
expose a new libssh transport, providing all the options that the
libssh2 transport supports.
---
 docs/remote.html.in        |  35 ++++++---
 src/remote/remote_driver.c |  41 +++++++++++
 src/rpc/virnetclient.c     | 106 +++++++++++++++++++++++++++
 src/rpc/virnetclient.h     |  13 ++++
 src/rpc/virnetsocket.c     | 179 +++++++++++++++++++++++++++++++++++++++++++++
 src/rpc/virnetsocket.h     |  13 ++++
 6 files changed, 375 insertions(+), 12 deletions(-)

diff --git a/docs/remote.html.in b/docs/remote.html.in
index 4c3012f..c28a505 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -145,6 +145,13 @@ of the OpenSSH binary. This transport uses the libvirt authentication callback f
 all ssh authentication calls and therefore supports keyboard-interactive authentication
 even with graphical management applications. As with the classic ssh transport
 netcat is required on the remote side.</dd>
+      <dt><code>libssh</code></dt>
+      <dd> Transport over the SSH protocol using
+      <a href="http://libssh.org/"; title="libssh homepage">libssh</a> instead
+of the OpenSSH binary. This transport uses the libvirt authentication callback for
+all ssh authentication calls and therefore supports keyboard-interactive authentication
+even with graphical management applications. As with the classic ssh transport
+netcat is required on the remote side.</dd>
     </dl>
     <p>
 The default transport, if no other is specified, is <code>tls</code>.
@@ -192,6 +199,9 @@ settings.
 <li><code>qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> &#x2014;
 Connect to a remote host using a ssh connection with the libssh2 driver
 and use a different known_hosts file.</li>
+<li><code>qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> &#x2014;
+Connect to a remote host using a ssh connection with the libssh driver
+and use a different known_hosts file.</li>
     </ul>
     <h4>
       <a name="Remote_URI_parameters">Extra parameters</a>
@@ -260,7 +270,7 @@ Note that parameter values must be
         <td>
           <code>socket</code>
         </td>
-        <td> unix, ssh, libssh2 </td>
+        <td> unix, ssh, libssh2, libssh </td>
         <td>
   The path to the Unix domain socket, which overrides the
   compiled-in default.  For ssh transport, this is passed to
@@ -275,7 +285,7 @@ Note that parameter values must be
         <td>
           <code>netcat</code>
         </td>
-        <td> ssh, libssh2 </td>
+        <td> ssh, libssh2, libssh </td>
         <td>
   The name of the netcat command on the remote machine.
   The default is <code>nc</code>.  For ssh transport, libvirt
@@ -300,7 +310,7 @@ Note that parameter values must be
         <td>
           <code>keyfile</code>
         </td>
-        <td> ssh, libssh2 </td>
+        <td> ssh, libssh2, libssh </td>
         <td>
   The name of the private key file to use to authentication to the remote
   machine.  If this option is not used the default keys are used.
@@ -368,14 +378,15 @@ Note that parameter values must be
         <td>
           <code>known_hosts</code>
         </td>
-        <td> libssh2 </td>
-        <td>
-  Path to the known_hosts file to verify the host key against. LibSSH2
-  supports OpenSSH-style known_hosts files, although it does not support
-  all key types, so using files created by the OpenSSH binary may result
-  into truncating the known_hosts file. It's recommended to use the default
-  known_hosts file is located in libvirt's client local configuration
-  directory e.g.: ~/.config/libvirt/known_hosts. Note: Use absolute paths.
+        <td> libssh2, libssh </td>
+        <td>
+  Path to the known_hosts file to verify the host key against. LibSSH2 and
+  libssh support OpenSSH-style known_hosts files, although LibSSH2 does not
+  support all key types, so using files created by the OpenSSH binary may
+  result into truncating the known_hosts file. Thus, with LibSSH2 it's
+  recommended to use the default known_hosts file is located in libvirt's
+  client local configuration directory e.g.: ~/.config/libvirt/known_hosts.
+  Note: Use absolute paths.
 </td>
       </tr>
       <tr>
@@ -386,7 +397,7 @@ Note that parameter values must be
         <td>
           <code>sshauth</code>
         </td>
-        <td> libssh2 </td>
+        <td> libssh2, libssh </td>
         <td>
   A comma separated list of authentication methods to use. Default (is
   "agent,privkey,keyboard-interactive". The order of the methods is preserved.
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index a3cd7cd..db2bdd4 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -673,6 +673,7 @@ remoteConnectSupportsFeatureUnlocked(virConnectPtr conn,
  *   - xxx:///                -> UNIX domain socket
  *   - xxx+ssh:///            -> SSH connection (legacy)
  *   - xxx+libssh2:///        -> SSH connection (using libssh2)
+ *   - xxx+libssh:///         -> SSH connection (using libssh)
  */
 static int
 doRemoteOpen(virConnectPtr conn,
@@ -689,6 +690,7 @@ doRemoteOpen(virConnectPtr conn,
         trans_libssh2,
         trans_ext,
         trans_tcp,
+        trans_libssh,
     } transport;
 #ifndef WIN32
     char *daemonPath = NULL;
@@ -736,6 +738,8 @@ doRemoteOpen(virConnectPtr conn,
                     transport = trans_ext;
                 } else if (STRCASEEQ(transport_str, "tcp")) {
                     transport = trans_tcp;
+                } else if (STRCASEEQ(transport_str, "libssh")) {
+                    transport = trans_libssh;
                 } else {
                     virReportError(VIR_ERR_INVALID_ARG, "%s",
                                    _("remote_open: transport in URL not recognised "
@@ -959,6 +963,43 @@ doRemoteOpen(virConnectPtr conn,
         priv->is_secure = 1;
         break;
 
+    case trans_libssh:
+        if (!sockname) {
+            /* Right now we don't support default session connections */
+            if (STREQ_NULLABLE(conn->uri->path, "/session")) {
+                virReportError(VIR_ERR_OPERATION_UNSUPPORTED, "%s",
+                               _("Connecting to session instance without "
+                                 "socket path is not supported by the libssh "
+                                 "connection driver"));
+                goto failed;
+            }
+
+            if (VIR_STRDUP(sockname,
+                           flags & VIR_DRV_OPEN_REMOTE_RO ?
+                           LIBVIRTD_PRIV_UNIX_SOCKET_RO : LIBVIRTD_PRIV_UNIX_SOCKET) < 0)
+                goto failed;
+        }
+
+        VIR_DEBUG("Starting libssh session");
+
+        priv->client = virNetClientNewLibssh(priv->hostname,
+                                             port,
+                                             AF_UNSPEC,
+                                             username,
+                                             keyfile,
+                                             knownHosts,
+                                             knownHostsVerify,
+                                             sshauth,
+                                             netcat,
+                                             sockname,
+                                             auth,
+                                             conn->uri);
+        if (!priv->client)
+            goto failed;
+
+        priv->is_secure = 1;
+        break;
+
 #ifndef WIN32
     case trans_unix:
         if (!sockname) {
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 713b8d5..34475d9 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -536,6 +536,112 @@ virNetClientPtr virNetClientNewLibSSH2(const char *host,
 }
 #undef DEFAULT_VALUE
 
+#define DEFAULT_VALUE(VAR, VAL)             \
+    if (!VAR)                               \
+        VAR = VAL;
+virNetClientPtr virNetClientNewLibssh(const char *host,
+                                      const char *port,
+                                      int family,
+                                      const char *username,
+                                      const char *privkeyPath,
+                                      const char *knownHostsPath,
+                                      const char *knownHostsVerify,
+                                      const char *authMethods,
+                                      const char *netcatPath,
+                                      const char *socketPath,
+                                      virConnectAuthPtr authPtr,
+                                      virURIPtr uri)
+{
+    virNetSocketPtr sock = NULL;
+    virNetClientPtr ret = NULL;
+
+    virBuffer buf = VIR_BUFFER_INITIALIZER;
+    char *nc = NULL;
+    char *command = NULL;
+
+    char *homedir = virGetUserDirectory();
+    char *confdir = virGetUserConfigDirectory();
+    char *knownhosts = NULL;
+    char *privkey = NULL;
+
+    /* Use default paths for known hosts an public keys if not provided */
+    if (confdir) {
+        if (!knownHostsPath) {
+            if (virFileExists(confdir)) {
+                if (virAsprintf(&knownhosts, "%s/known_hosts", confdir) < 0)
+                    goto cleanup;
+            }
+        } else {
+            if (VIR_STRDUP(knownhosts, knownHostsPath) < 0)
+                goto cleanup;
+        }
+    }
+
+    if (homedir) {
+        if (!privkeyPath) {
+            if (virNetClientFindDefaultSshKey(homedir, &privkey) < 0)
+                goto no_memory;
+        } else {
+            if (VIR_STRDUP(privkey, privkeyPath) < 0)
+                goto cleanup;
+        }
+    }
+
+    if (!authMethods) {
+        if (privkey)
+            authMethods = "agent,privkey,password,keyboard-interactive";
+        else
+            authMethods = "agent,password,keyboard-interactive";
+    }
+
+    DEFAULT_VALUE(host, "localhost");
+    DEFAULT_VALUE(port, "22");
+    DEFAULT_VALUE(username, "root");
+    DEFAULT_VALUE(netcatPath, "nc");
+    DEFAULT_VALUE(knownHostsVerify, "normal");
+
+    virBufferEscapeShell(&buf, netcatPath);
+    if (!(nc = virBufferContentAndReset(&buf)))
+        goto no_memory;
+
+    if (virAsprintf(&command,
+         "sh -c "
+         "'if '%s' -q 2>&1 | grep \"requires an argument\" >/dev/null 2>&1; then "
+             "ARG=-q0;"
+         "else "
+             "ARG=;"
+         "fi;"
+         "'%s' $ARG -U %s'",
+         nc, nc, socketPath) < 0)
+        goto cleanup;
+
+    if (virNetSocketNewConnectLibssh(host, port,
+                                     family,
+                                     username, privkey,
+                                     knownhosts, knownHostsVerify, authMethods,
+                                     command, authPtr, uri, &sock) != 0)
+        goto cleanup;
+
+    if (!(ret = virNetClientNew(sock, NULL)))
+        goto cleanup;
+    sock = NULL;
+
+ cleanup:
+    VIR_FREE(command);
+    VIR_FREE(privkey);
+    VIR_FREE(knownhosts);
+    VIR_FREE(homedir);
+    VIR_FREE(confdir);
+    VIR_FREE(nc);
+    virObjectUnref(sock);
+    return ret;
+
+ no_memory:
+    virReportOOMError();
+    goto cleanup;
+}
+#undef DEFAULT_VALUE
+
 virNetClientPtr virNetClientNewExternal(const char **cmdargv)
 {
     virNetSocketPtr sock;
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index c772d0b..9cf3209 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -67,6 +67,19 @@ virNetClientPtr virNetClientNewLibSSH2(const char *host,
                                        virConnectAuthPtr authPtr,
                                        virURIPtr uri);
 
+virNetClientPtr virNetClientNewLibssh(const char *host,
+                                      const char *port,
+                                      int family,
+                                      const char *username,
+                                      const char *privkeyPath,
+                                      const char *knownHostsPath,
+                                      const char *knownHostsVerify,
+                                      const char *authMethods,
+                                      const char *netcatPath,
+                                      const char *socketPath,
+                                      virConnectAuthPtr authPtr,
+                                      virURIPtr uri);
+
 virNetClientPtr virNetClientNewExternal(const char **cmdargv);
 
 int virNetClientRegisterAsyncIO(virNetClientPtr client);
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 05f20a5..325a7c7 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -65,6 +65,10 @@
 # include "virnetsshsession.h"
 #endif
 
+#if WITH_LIBSSH
+# include "virnetlibsshsession.h"
+#endif
+
 #define VIR_FROM_THIS VIR_FROM_RPC
 
 VIR_LOG_INIT("rpc.netsocket");
@@ -107,6 +111,9 @@ struct _virNetSocket {
 #if WITH_SSH2
     virNetSSHSessionPtr sshSession;
 #endif
+#if WITH_LIBSSH
+    virNetLibsshSessionPtr libsshSession;
+#endif
 };
 
 
@@ -1027,6 +1034,143 @@ virNetSocketNewConnectLibSSH2(const char *host ATTRIBUTE_UNUSED,
 }
 #endif /* WITH_SSH2 */
 
+#if WITH_LIBSSH
+int
+virNetSocketNewConnectLibssh(const char *host,
+                             const char *port,
+                             int family,
+                             const char *username,
+                             const char *privkey,
+                             const char *knownHosts,
+                             const char *knownHostsVerify,
+                             const char *authMethods,
+                             const char *command,
+                             virConnectAuthPtr auth,
+                             virURIPtr uri,
+                             virNetSocketPtr *retsock)
+{
+    virNetSocketPtr sock = NULL;
+    virNetLibsshSessionPtr sess = NULL;
+    unsigned int verify;
+    int ret = -1;
+    int portN;
+
+    char *authMethodNext = NULL;
+    char *authMethodsCopy = NULL;
+    char *authMethod;
+
+    /* port number will be verified while opening the socket */
+    if (virStrToLong_i(port, NULL, 10, &portN) < 0) {
+        virReportError(VIR_ERR_LIBSSH, "%s",
+                       _("Failed to parse port number"));
+        goto error;
+    }
+
+    /* create ssh session context */
+    if (!(sess = virNetLibsshSessionNew(username)))
+        goto error;
+
+    /* set ssh session parameters */
+    if (virNetLibsshSessionAuthSetCallback(sess, auth) != 0)
+        goto error;
+
+    if (STRCASEEQ("auto", knownHostsVerify)) {
+        verify = VIR_NET_LIBSSH_HOSTKEY_VERIFY_AUTO_ADD;
+    } else if (STRCASEEQ("ignore", knownHostsVerify)) {
+        verify = VIR_NET_LIBSSH_HOSTKEY_VERIFY_IGNORE;
+    } else if (STRCASEEQ("normal", knownHostsVerify)) {
+        verify = VIR_NET_LIBSSH_HOSTKEY_VERIFY_NORMAL;
+    } else {
+        virReportError(VIR_ERR_INVALID_ARG,
+                       _("Invalid host key verification method: '%s'"),
+                       knownHostsVerify);
+        goto error;
+    }
+
+    if (virNetLibsshSessionSetHostKeyVerification(sess,
+                                                  host,
+                                                  portN,
+                                                  knownHosts,
+                                                  verify) != 0)
+        goto error;
+
+    if (virNetLibsshSessionSetChannelCommand(sess, command) != 0)
+        goto error;
+
+    if (VIR_STRDUP(authMethodsCopy, authMethods) < 0)
+        goto error;
+
+    authMethodNext = authMethodsCopy;
+
+    while ((authMethod = strsep(&authMethodNext, ","))) {
+        if (STRCASEEQ(authMethod, "keyboard-interactive")) {
+            ret = virNetLibsshSessionAuthAddKeyboardAuth(sess, -1);
+        } else if (STRCASEEQ(authMethod, "password")) {
+            ret = virNetLibsshSessionAuthAddPasswordAuth(sess, uri);
+        } else if (STRCASEEQ(authMethod, "privkey")) {
+            ret = virNetLibsshSessionAuthAddPrivKeyAuth(sess,
+                                                        privkey,
+                                                        NULL);
+        } else if (STRCASEEQ(authMethod, "agent")) {
+            ret = virNetLibsshSessionAuthAddAgentAuth(sess);
+        } else {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("Invalid authentication method: '%s'"),
+                           authMethod);
+            ret = -1;
+            goto error;
+        }
+
+        if (ret != 0)
+            goto error;
+    }
+
+    /* connect to remote server */
+    if ((ret = virNetSocketNewConnectTCP(host, port, family, &sock)) < 0)
+        goto error;
+
+    /* connect to the host using ssh */
+    if ((ret = virNetLibsshSessionConnect(sess, virNetSocketGetFD(sock))) != 0)
+        goto error;
+
+    sock->libsshSession = sess;
+    /* libssh owns the FD and closes it on its own, and thus
+     * we must not close it (otherwise there are warnings about
+     * trying to close an invalid FD).
+     */
+    sock->ownsFd = false;
+    *retsock = sock;
+
+    VIR_FREE(authMethodsCopy);
+    return 0;
+
+ error:
+    virObjectUnref(sock);
+    virObjectUnref(sess);
+    VIR_FREE(authMethodsCopy);
+    return ret;
+}
+#else
+int
+virNetSocketNewConnectLibssh(const char *host ATTRIBUTE_UNUSED,
+                             const char *port ATTRIBUTE_UNUSED,
+                             int family ATTRIBUTE_UNUSED,
+                             const char *username ATTRIBUTE_UNUSED,
+                             const char *privkey ATTRIBUTE_UNUSED,
+                             const char *knownHosts ATTRIBUTE_UNUSED,
+                             const char *knownHostsVerify ATTRIBUTE_UNUSED,
+                             const char *authMethods ATTRIBUTE_UNUSED,
+                             const char *command ATTRIBUTE_UNUSED,
+                             virConnectAuthPtr auth ATTRIBUTE_UNUSED,
+                             virURIPtr uri ATTRIBUTE_UNUSED,
+                             virNetSocketPtr *retsock ATTRIBUTE_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("libssh transport support was not enabled"));
+    return -1;
+}
+#endif /* WITH_LIBSSH */
+
 int virNetSocketNewConnectExternal(const char **cmdargv,
                                    virNetSocketPtr *retsock)
 {
@@ -1204,6 +1348,10 @@ void virNetSocketDispose(void *obj)
     virObjectUnref(sock->sshSession);
 #endif
 
+#if WITH_LIBSSH
+    virObjectUnref(sock->libsshSession);
+#endif
+
     if (sock->ownsFd)
         VIR_FORCE_CLOSE(sock->fd);
     VIR_FORCE_CLOSE(sock->errfd);
@@ -1534,6 +1682,11 @@ bool virNetSocketHasCachedData(virNetSocketPtr sock ATTRIBUTE_UNUSED)
         hasCached = true;
 #endif
 
+#if WITH_LIBSSH
+    if (virNetLibsshSessionHasCachedData(sock->libsshSession))
+        hasCached = true;
+#endif
+
 #if WITH_SASL
     if (sock->saslDecoded)
         hasCached = true;
@@ -1558,6 +1711,22 @@ static ssize_t virNetSocketLibSSH2Write(virNetSocketPtr sock,
 }
 #endif
 
+#if WITH_LIBSSH
+static ssize_t virNetSocketLibsshRead(virNetSocketPtr sock,
+                                      char *buf,
+                                      size_t len)
+{
+    return virNetLibsshChannelRead(sock->libsshSession, buf, len);
+}
+
+static ssize_t virNetSocketLibsshWrite(virNetSocketPtr sock,
+                                       const char *buf,
+                                       size_t len)
+{
+    return virNetLibsshChannelWrite(sock->libsshSession, buf, len);
+}
+#endif
+
 bool virNetSocketHasPendingData(virNetSocketPtr sock ATTRIBUTE_UNUSED)
 {
     bool hasPending = false;
@@ -1581,6 +1750,11 @@ static ssize_t virNetSocketReadWire(virNetSocketPtr sock, char *buf, size_t len)
         return virNetSocketLibSSH2Read(sock, buf, len);
 #endif
 
+#if WITH_LIBSSH
+    if (sock->libsshSession)
+        return virNetSocketLibsshRead(sock, buf, len);
+#endif
+
  reread:
 #if WITH_GNUTLS
     if (sock->tlsSession &&
@@ -1640,6 +1814,11 @@ static ssize_t virNetSocketWriteWire(virNetSocketPtr sock, const char *buf, size
         return virNetSocketLibSSH2Write(sock, buf, len);
 #endif
 
+#if WITH_LIBSSH
+    if (sock->libsshSession)
+        return virNetSocketLibsshWrite(sock, buf, len);
+#endif
+
  rewrite:
 #if WITH_GNUTLS
     if (sock->tlsSession &&
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index ec064bb..56c75c0 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -100,6 +100,19 @@ int virNetSocketNewConnectLibSSH2(const char *host,
                                   virURIPtr uri,
                                   virNetSocketPtr *retsock);
 
+int virNetSocketNewConnectLibssh(const char *host,
+                                 const char *port,
+                                 int family,
+                                 const char *username,
+                                 const char *privkey,
+                                 const char *knownHosts,
+                                 const char *knownHostsVerify,
+                                 const char *authMethods,
+                                 const char *command,
+                                 virConnectAuthPtr auth,
+                                 virURIPtr uri,
+                                 virNetSocketPtr *retsock);
+
 int virNetSocketNewConnectExternal(const char **cmdargv,
                                    virNetSocketPtr *addr);
 
-- 
2.7.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]