Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified. This won't disable host key
checking for already known hosts. Includes a test and documentation.
---
Thanks for the review, here's an updated patch.
docs/remote.html.in | 9 +++++++--
src/remote/remote_driver.c | 1 +
src/rpc/virnetclient.c | 3 ++-
src/rpc/virnetclient.h | 1 +
src/rpc/virnetsocket.c | 3 +++
src/rpc/virnetsocket.h | 1 +
tests/virnetsockettest.c | 22 +++++++++++++++++++---
7 files changed, 34 insertions(+), 6 deletions(-)
diff --git a/docs/remote.html.in b/docs/remote.html.in
index f6a0683..39d65aa 100644
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -279,9 +279,14 @@ Note that parameter values must be
<td>
<code>no_verify</code>
</td>
- <td> tls </td>
- <td>
- If set to a non-zero value, this disables client checks of the
+ <td> ssh, tls </td>
+ <td>
+ SSH: If set to a non-zero value, this disables client's strict host key
+ checking making it auto-accept new host keys. Existing host keys will
+ still be validated.
+ <br/>
+ <br/>
+ TLS: If set to a non-zero value, this disables client checks of the
server's certificate. Note that to disable server checks of
the client's certificate or IP address you must
<a href="#Remote_libvirtd_configuration">change the libvirtd
diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 5c0457e..6921c15 100644
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
command,
username,
no_tty,
+ no_verify,
netcat ? netcat : "nc",
sockname)))
goto failed;
diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 6a112ee..b9f0fc8 100644
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path)
{
virNetSocketPtr sock;
- if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat, path, &sock) < 0)
+ if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify, netcat, path, &sock) < 0)
return NULL;
return virNetClientNew(sock, NULL);
diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index de0782c..6acdf50 100644
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path);
diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 3392047..41d9954 100644
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
if (noTTY)
virCommandAddArgList(cmd, "-T", "-o", "BatchMode=yes",
"-e", "none", NULL);
+ if (noVerify)
+ virCommandAddArgList(cmd, "-o", "StrictHostKeyChecking=no", NULL);
virCommandAddArgList(cmd, nodename,
netcat ? netcat : "nc",
"-U", path, NULL);
diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 356d6c6..5f882ac 100644
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
const char *binary,
const char *username,
bool noTTY,
+ bool noVerify,
const char *netcat,
const char *path,
virNetSocketPtr *addr);
diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c7274..e003a23 100644
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -377,6 +377,7 @@ struct testSSHData {
const char *binary;
const char *username;
bool noTTY;
+ bool noVerify;
const char *netcat;
const char *path;
@@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque)
data->binary,
data->username,
data->noTTY,
+ data->noVerify,
data->netcat,
data->path,
&csock) < 0)
@@ -503,6 +505,7 @@ mymain(void)
.username = "fred",
.netcat = "netcat",
.noTTY = true,
+ .noVerify = false,
.path = "/tmp/socket",
.expectOut = "-p 9000 -l fred -T -o BatchMode=yes -e none somehost netcat -U /tmp/socket\n",
};
@@ -510,20 +513,33 @@ mymain(void)
ret = -1;
struct testSSHData sshData3 = {
+ .nodename = "somehost",
+ .service = "9000",
+ .username = "fred",
+ .netcat = "netcat",
+ .noTTY = false,
+ .noVerify = true,
+ .path = "/tmp/socket",
+ .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat -U /tmp/socket\n",
+ };
+ if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData2) < 0)
+ ret = -1;
+
+ struct testSSHData sshData4 = {
.nodename = "nosuchhost",
.path = "/tmp/socket",
.failConnect = true,
};
- if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
+ if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData3) < 0)
ret = -1;
- struct testSSHData sshData4 = {
+ struct testSSHData sshData5 = {
.nodename = "crashyhost",
.path = "/tmp/socket",
.expectOut = "crashyhost nc -U /tmp/socket\n",
.dieEarly = true,
};
- if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+ if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData4) < 0)
ret = -1;
#endif
--
1.7.6
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list