Re: [libvirt PATCH 07/11] virnetclient: Use 'if' consistently

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 14, 2022 at 01:56:17AM -0800, Andrea Bolognani wrote:
> On Fri, Feb 11, 2022 at 05:46:31PM +0000, Daniel P. Berrangé wrote:
> > > -        return g_strdup_printf("sh -c 'which virt-ssh-helper 1>/dev/null 2>&1; "
> > > -                               "if test $? = 0; then "
> > > +        return g_strdup_printf("sh -c 'if which virt-ssh-helper >/dev/null 2>&1; then "
> > >                                     "%s; "
> > >                                 "else "
> > >                                     "%s; "
> >
> > I understand the motivation, but please don't change this. Applications
> > like OpenStack have configured ssh authorized_keys files with the
> > specific command that libvirt invokes. So changes like this will break
> > their SSH configs.  We caused this pain when we first introduced the
> > virt-ssh-helper, but at least that was giving them a functional
> > improvement and they could use a URI parameter to force the old command
> > string. This change is just prettiness for no functional improvement
> > so is not worth breaking apps for.
> 
> Can you please provide pointers to the OpenStack implementation of
> this and the issue that resulted from introducing virt-ssh-helper?

I don't know where the code is. I just know that they were broken
by our changes in this area.

> AFAICT the only way to restrict what commands a user can run after
> successfully authenticating is to specify command=... before the
> corresponding key in authorized_keys and I don't see how this change,
> or indeed the one that happened when virt-ssh-helper was added, could
> interfere with that.

The command that was listed in the authorized_keys file no longer
matched what libvirt was actually invoking, so it was rightly
rejected.


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux