On Tue, Nov 27, 2012 at 04:38:49PM +0100, Peter Krempa wrote:
> On 11/27/12 15:56, Daniel P. Berrange wrote:
> >On Tue, Nov 27, 2012 at 02:55:11PM +0000, Daniel P. Berrange wrote:
> >>On Tue, Nov 27, 2012 at 03:39:16PM +0100, Peter Krempa wrote:
> >>>To make this function callable from code that doesn't have the conn
> >>>object, call the conn-dependant code only if conn was provided.
> >>>---
> >>> src/util/virauth.c | 13 ++++++++-----
> >>> 1 file changed, 8 insertions(+), 5 deletions(-)
> >>>
> >>>diff --git a/src/util/virauth.c b/src/util/virauth.c
> >>>index 6d9935d..738b3c5 100644
> >>>--- a/src/util/virauth.c
> >>>+++ b/src/util/virauth.c
> >>>@@ -205,7 +205,8 @@ virAuthGetUsername(virConnectPtr conn,
> >>> }
> >>>
> >>>
> >>>-
> >>>+/* if this function is called with conn == NULL, the code requesting
> >>>+ * the password from the config file is skipped */
> >>> char *
> >>> virAuthGetPassword(virConnectPtr conn,
> >>> virConnectAuthPtr auth,
> >>>@@ -218,10 +219,12 @@ virAuthGetPassword(virConnectPtr conn,
> >>> char *prompt;
> >>> char *ret = NULL;
> >>>
> >>>- if (virAuthGetCredential(conn, servicename, "password", &ret) < 0)
> >>>- return NULL;
> >>>- if (ret != NULL)
> >>>- return ret;
> >>>+ if (conn) {
> >>>+ if (virAuthGetCredential(conn, servicename, "password", &ret) < 0)
> >>>+ return NULL;
> >>>+ if (ret != NULL)
> >>>+ return ret;
> >>>+ }
> >>>
> >>> memset(&cred, 0, sizeof(virConnectCredential));
> >>
> >>NACK, I don't think this is right. The libssh2 code that is using this
> >>must have a virConnectPtr instance somewhere in its callstack. We
>
> The connection object is available in the doRemoteOpen function in
> the remote driver and it might be passed further down through the
> virNetClient and virNetSocket objects until it reaches pure libssh2
> transport code.
>
> >>should fix the code to pass the connection in where needed, not skip
> >>this.
>
> This might be needed but right now the credential storage option is
> not desired. The original keyboard-interactive implementation has to
> ask the user for various arbitrary challenges that are provided by
> the server. The virAuth implementation does not allow this.
I'm not sure I agree with you there - the SASL code also has
the ability to ask the user for arbitrary challenges, and we
support that with the virAuth already. See the method
remoteAuthFillFromConfig in remote_driver.c
The virNetSSHKbIntCb method could be made to lookup the credentials
in the auth config file in a similar manner.
> The code provided in patch 2/2 is adding fallback method to do the
> authentication with passwords when keyboard interactive is not
> available. When the user will be able to store the passwords in the
> auth file, this will introduce dual behavior on hosts supporting
> keyboard interactive auth where the user won't be able to store the
> password as the challenge is provided by the remote server and
> virauth does not support getting arbitrary requests from the user.
> On hosts that don't support this, the user would be able to save
> passwords.
>
> With that change the fallback behavior wouldn't be desired. We might
> change the default authentication method to be password and leave
> keyboard-interactive for really special scenarios that wouldn't
> support storing the credentials. (This at the cost of polluting
> virNetClient and virNetSocket with the connection object (or the
> URI) and even more added code).
Looking at the code, in the keyboard-interactive method, you call a
libssh2 API, which in turn calls virNetSSHKbIntCb() to fill up a
libvirt virConnectCredentialPtr struct with prompts.
In this new patch, you are using the virAuthGetPassword function as
a way to fill a virConnectCredentialPtr with prompts. I'd be inclined
to say the new patch should just directly call virNetSSHKbIntCb to
do this and avoid touching virAuthGetPassword at all.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list