From 9a0e6a8fae363e73db179a93cdd9878b0908248a Mon Sep 17 00:00:00 2001 From: Oskari Saarenmaa Date: Mon, 11 Jul 2011 22:50:31 +0300 Subject: [PATCH] remote/ssh: support for no_verify. Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the no_verify extra parameter was specified. This won't disable host key checking for already known hosts. Includes a test and documentation. --- AUTHORS | 1 + docs/remote.html.in | 9 +++++++-- src/remote/remote_driver.c | 1 + src/rpc/virnetclient.c | 3 ++- src/rpc/virnetclient.h | 1 + src/rpc/virnetsocket.c | 3 +++ src/rpc/virnetsocket.h | 1 + tests/virnetsockettest.c | 22 +++++++++++++++++++--- 8 files changed, 35 insertions(+), 6 deletions(-) diff --git a/AUTHORS b/AUTHORS index 4b200d00ea..4b16a2ca70 100644 --- a/AUTHORS +++ b/AUTHORS @@ -184,6 +184,7 @@ Patches have also been contributed by: John Williams Michael Santos Alex Jia + Oskari Saarenmaa [....send patches to get your name here....] diff --git a/docs/remote.html.in b/docs/remote.html.in index f6a0683135..39d65aaabe 100644 --- a/docs/remote.html.in +++ b/docs/remote.html.in @@ -279,9 +279,14 @@ Note that parameter values must be no_verify - tls + ssh, tls - If set to a non-zero value, this disables client checks of the + SSH: If set to a non-zero value, this disables client's strict host key + checking making it auto-accept new host keys. Existing host keys will + still be validated. +
+
+ TLS: If set to a non-zero value, this disables client checks of the server's certificate. Note that to disable server checks of the client's certificate or IP address you must change the libvirtd diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 5c0457e200..6921c153f5 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn, command, username, no_tty, + no_verify, netcat ? netcat : "nc", sockname))) goto failed; diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c index 6a112eea70..b9f0fc807f 100644 --- a/src/rpc/virnetclient.c +++ b/src/rpc/virnetclient.c @@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename, const char *binary, const char *username, bool noTTY, + bool noVerify, const char *netcat, const char *path) { virNetSocketPtr sock; - if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat, path, &sock) < 0) + if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify, netcat, path, &sock) < 0) return NULL; return virNetClientNew(sock, NULL); diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h index de0782c240..6acdf508a0 100644 --- a/src/rpc/virnetclient.h +++ b/src/rpc/virnetclient.h @@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename, const char *binary, const char *username, bool noTTY, + bool noVerify, const char *netcat, const char *path); diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 33920479a4..41d9954e66 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename, const char *binary, const char *username, bool noTTY, + bool noVerify, const char *netcat, const char *path, virNetSocketPtr *retsock) @@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename, if (noTTY) virCommandAddArgList(cmd, "-T", "-o", "BatchMode=yes", "-e", "none", NULL); + if (noVerify) + virCommandAddArgList(cmd, "-o", "StrictHostKeyChecking=no", NULL); virCommandAddArgList(cmd, nodename, netcat ? netcat : "nc", "-U", path, NULL); diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h index 356d6c6cf8..5f882ac543 100644 --- a/src/rpc/virnetsocket.h +++ b/src/rpc/virnetsocket.h @@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename, const char *binary, const char *username, bool noTTY, + bool noVerify, const char *netcat, const char *path, virNetSocketPtr *addr); diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c index f6c72743c6..1697ced30c 100644 --- a/tests/virnetsockettest.c +++ b/tests/virnetsockettest.c @@ -377,6 +377,7 @@ struct testSSHData { const char *binary; const char *username; bool noTTY; + bool noVerify; const char *netcat; const char *path; @@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque) data->binary, data->username, data->noTTY, + data->noVerify, data->netcat, data->path, &csock) < 0) @@ -503,6 +505,7 @@ mymain(void) .username = "fred", .netcat = "netcat", .noTTY = true, + .noVerify = false, .path = "/tmp/socket", .expectOut = "-p 9000 -l fred -T -o BatchMode=yes -e none somehost netcat -U /tmp/socket\n", }; @@ -510,20 +513,33 @@ mymain(void) ret = -1; struct testSSHData sshData3 = { - .nodename = "nosuchhost", + .nodename = "somehost", + .service = "9000", + .username = "fred", + .netcat = "netcat", + .noTTY = false, + .noVerify = true, .path = "/tmp/socket", - .failConnect = true, + .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat -U /tmp/socket\n", }; if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0) ret = -1; struct testSSHData sshData4 = { + .nodename = "nosuchhost", + .path = "/tmp/socket", + .failConnect = true, + }; + if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0) + ret = -1; + + struct testSSHData sshData5 = { .nodename = "crashyhost", .path = "/tmp/socket", .expectOut = "crashyhost nc -U /tmp/socket\n", .dieEarly = true, }; - if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0) + if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData5) < 0) ret = -1; #endif