[PATCHv2] remote/ssh: support for no_verify.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified.  This won't disable host key
checking for already known hosts.  Includes a test and documentation.
---
 Thanks for the review, here's an updated patch.

 docs/remote.html.in        |    9 +++++++--
 src/remote/remote_driver.c |    1 +
 src/rpc/virnetclient.c     |    3 ++-
 src/rpc/virnetclient.h     |    1 +
 src/rpc/virnetsocket.c     |    3 +++
 src/rpc/virnetsocket.h     |    1 +
 tests/virnetsockettest.c   |   22 +++++++++++++++++++---
 7 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/docs/remote.html.in b/docs/remote.html.in
index f6a0683..39d65aa 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -279,9 +279,14 @@ Note that parameter values must be
         <td>
           <code>no_verify</code>
         </td>
-        <td> tls </td>
-        <td>
-  If set to a non-zero value, this disables client checks of the
+        <td> ssh, tls </td>
+        <td>
+  SSH: If set to a non-zero value, this disables client's strict host key
+  checking making it auto-accept new host keys.  Existing host keys will
+  still be validated.
+  <br/>
+  <br/>
+  TLS: If set to a non-zero value, this disables client checks of the
   server's certificate.  Note that to disable server checks of
   the client's certificate or IP address you must
   <a href="#Remote_libvirtd_configuration">change the libvirtd
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 5c0457e..6921c15 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
                                                 command,
                                                 username,
                                                 no_tty,
+                                                no_verify,
                                                 netcat ? netcat : "nc",
                                                 sockname)))
             goto failed;
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 6a112ee..b9f0fc8 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
                                    const char *binary,
                                    const char *username,
                                    bool noTTY,
+                                   bool noVerify,
                                    const char *netcat,
                                    const char *path)
 {
     virNetSocketPtr sock;
 
-    if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat, path, &sock) < 0)
+    if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify, netcat, path, &sock) < 0)
         return NULL;
 
     return virNetClientNew(sock, NULL);
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index de0782c..6acdf50 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
                                    const char *binary,
                                    const char *username,
                                    bool noTTY,
+                                   bool noVerify,
                                    const char *netcat,
                                    const char *path);
 
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 3392047..41d9954 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
                               const char *binary,
                               const char *username,
                               bool noTTY,
+                              bool noVerify,
                               const char *netcat,
                               const char *path,
                               virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
     if (noTTY)
         virCommandAddArgList(cmd, "-T", "-o", "BatchMode=yes",
                              "-e", "none", NULL);
+    if (noVerify)
+        virCommandAddArgList(cmd, "-o", "StrictHostKeyChecking=no", NULL);
     virCommandAddArgList(cmd, nodename,
                          netcat ? netcat : "nc",
                          "-U", path, NULL);
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 356d6c6..5f882ac 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
                               const char *binary,
                               const char *username,
                               bool noTTY,
+                              bool noVerify,
                               const char *netcat,
                               const char *path,
                               virNetSocketPtr *addr);
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c7274..e003a23 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -377,6 +377,7 @@ struct testSSHData {
     const char *binary;
     const char *username;
     bool noTTY;
+    bool noVerify;
     const char *netcat;
     const char *path;
 
@@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque)
                                   data->binary,
                                   data->username,
                                   data->noTTY,
+                                  data->noVerify,
                                   data->netcat,
                                   data->path,
                                   &csock) < 0)
@@ -503,6 +505,7 @@ mymain(void)
         .username = "fred",
         .netcat = "netcat",
         .noTTY = true,
+        .noVerify = false,
         .path = "/tmp/socket",
         .expectOut = "-p 9000 -l fred -T -o BatchMode=yes -e none somehost netcat -U /tmp/socket\n",
     };
@@ -510,20 +513,33 @@ mymain(void)
         ret = -1;
 
     struct testSSHData sshData3 = {
+        .nodename = "somehost",
+        .service = "9000",
+        .username = "fred",
+        .netcat = "netcat",
+        .noTTY = false,
+        .noVerify = true,
+        .path = "/tmp/socket",
+        .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat -U /tmp/socket\n",
+    };
+    if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData2) < 0)
+        ret = -1;
+
+    struct testSSHData sshData4 = {
         .nodename = "nosuchhost",
         .path = "/tmp/socket",
         .failConnect = true,
     };
-    if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
+    if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData3) < 0)
         ret = -1;
 
-    struct testSSHData sshData4 = {
+    struct testSSHData sshData5 = {
         .nodename = "crashyhost",
         .path = "/tmp/socket",
         .expectOut = "crashyhost nc -U /tmp/socket\n",
         .dieEarly = true,
     };
-    if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+    if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData4) < 0)
         ret = -1;
 
 #endif
-- 
1.7.6

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]