[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCHv2 4/4] libssh2_transport: Use libssh2 driver code in remote driver



On Sat, Aug 11, 2012 at 11:21:02PM +0200, Peter Krempa wrote:
> This patch adds URI options to support libssh2 transport in the remote
> driver.
> 
> A new transport sceme is introduced eg. "qemu+libssh://..." that
> utilizes the libssh2 code added in previous patches.
> 
> The libssh2 code requires the authentication callback to be able to
> perform keyboard-interactive authentication or to ask t passprhases or
> add host keys to known hosts database.
> 
> Added URI components:
> - known_hosts -  path to a knownHosts file in OpenSSH format to check
>                  for known ssh host keys
> - known_hosts_verify - how to deal with server key verification:
>                             * "normal" (default) - ask to add new keys
>                             * "auto" - automaticaly add new keys
>                             * "ignore" - don't validate host keys
> - auth - authentication methods to use. Default is
>             "agent,privkey,keyboard-interactive". It's a comma separated
>             string of methods to try while authenticating. The order is
>             preserved. Some of the methods may require additional
>             parameters.
> - password - Password for password authentication.

NACK to adding 'password' as a parameter. It is not safe to provide
passwords in URIs, and we already have explicit support for providing
passwords via a libvirt config file.

> diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
> index 8153d70..9b5677d 100644
> --- a/src/remote/remote_driver.c
> +++ b/src/remote/remote_driver.c
> @@ -385,6 +385,8 @@ static void remoteClientCloseFunc(virNetClientPtr client ATTRIBUTE_UNUSED,
>   *   - xxx+tcp:///            -> TCP connection to localhost
>   *   - xxx+unix:///           -> UNIX domain socket
>   *   - xxx:///                -> UNIX domain socket
> + *   - xxx+ssh:///            -> SSH connection (legacy)
> + *   - xxx+libssh2:///        -> SSH connection (using libssh2)
>   */
>  static int
>  doRemoteOpen(virConnectPtr conn,
> @@ -397,6 +399,7 @@ doRemoteOpen(virConnectPtr conn,
>          trans_tls,
>          trans_unix,
>          trans_ssh,
> +        trans_libssh2,
>          trans_ext,
>          trans_tcp,
>      } transport;
> @@ -439,6 +442,8 @@ doRemoteOpen(virConnectPtr conn,
>                      }
>                  } else if (STRCASEEQ(transport_str, "ssh"))
>                      transport = trans_ssh;
> +                else if (STRCASEEQ(transport_str, "libssh2"))
> +                    transport = trans_libssh2;
>                  else if (STRCASEEQ(transport_str, "ext"))
>                      transport = trans_ext;
>                  else if (STRCASEEQ(transport_str, "tcp"))
> @@ -446,7 +451,7 @@ doRemoteOpen(virConnectPtr conn,
>                  else {
>                      virReportError(VIR_ERR_INVALID_ARG, "%s",
>                                     _("remote_open: transport in URL not recognised "
> -                                     "(should be tls|unix|ssh|ext|tcp)"));
> +                                     "(should be tls|unix|ssh|ext|tcp|libssh2)"));
>                      return VIR_DRV_OPEN_ERROR;
>                  }
>              }
> @@ -460,10 +465,12 @@ doRemoteOpen(virConnectPtr conn,
>       * get freed in the failed: path.
>       */
>      char *name = NULL, *command = NULL, *sockname = NULL, *netcat = NULL;
> -    char *port = NULL, *authtype = NULL, *username = NULL;
> +    char *port = NULL, *authtype = NULL, *username = NULL, *password = NULL;
>      bool sanity = true, verify = true, tty ATTRIBUTE_UNUSED = true;
>      char *pkipath = NULL, *keyfile = NULL;
> 
> +    char *knownHostsVerify = NULL,  *knownHosts = NULL;
> +
>      /* Return code from this function, and the private data. */
>      int retcode = VIR_DRV_OPEN_ERROR;
> 
> @@ -508,6 +515,9 @@ doRemoteOpen(virConnectPtr conn,
>              EXTRACT_URI_ARG_STR("netcat", netcat);
>              EXTRACT_URI_ARG_STR("keyfile", keyfile);
>              EXTRACT_URI_ARG_STR("pkipath", pkipath);
> +            EXTRACT_URI_ARG_STR("known_hosts", knownHosts);
> +            EXTRACT_URI_ARG_STR("known_hosts_verify", knownHostsVerify);
> +            EXTRACT_URI_ARG_STR("password", password);

So remove this password param


ACK, if the password URI param is removed

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]