mbox series

[0/2] ssh: add password and privkey auth methods

Message ID 20190726140954.31921-1-ptoscano@redhat.com (mailing list archive)
Headers show
Series ssh: add password and privkey auth methods | expand

Message

Pino Toscano July 26, 2019, 2:09 p.m. UTC
These two patches add the password and private key authentication
methods to the ssh block driver, using secure objects for
passwords/passphrases.

Pino Toscano (2):
  ssh: implement password authentication
  ssh: implement private key authentication

 block/ssh.c                  | 133 ++++++++++++++++++++++++++++++++++-
 block/trace-events           |   2 +
 docs/qemu-block-drivers.texi |  15 +++-
 qapi/block-core.json         |  13 +++-
 tests/qemu-iotests/207.out   |   2 +-
 5 files changed, 158 insertions(+), 7 deletions(-)

Comments

Richard W.M. Jones July 26, 2019, 2:27 p.m. UTC | #1
On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> These two patches add the password and private key authentication
> methods to the ssh block driver, using secure objects for
> passwords/passphrases.

I was attempting to test this but couldn't work out the full command
line to use it (with qemu-img).  I got as far as:

$ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root

I guess the secret should be specified using --object, but at that
point I gave up.

Could do with documentation, even if merely in the commit message or a
blog post.

Rich.
Pino Toscano July 26, 2019, 2:45 p.m. UTC | #2
On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > These two patches add the password and private key authentication
> > methods to the ssh block driver, using secure objects for
> > passwords/passphrases.
> 
> I was attempting to test this but couldn't work out the full command
> line to use it (with qemu-img).  I got as far as:
> 
> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> 
> I guess the secret should be specified using --object, but at that
> point I gave up.

Almost there :) add e.g.
  --object 'secret,id=sec0,file=passwd'
as parameter for the convert command (so after it, not before), and then
set 'sec0' as value for file.password-secret.  Of course 'sec0' is
arbitrary, any other QEMU id will do.

A long helpful comment in include/crypto/secret.h explains the basics
of the crypto objects.
Richard W.M. Jones July 26, 2019, 2:50 p.m. UTC | #3
On Fri, Jul 26, 2019 at 04:45:03PM +0200, Pino Toscano wrote:
> On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> > On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > > These two patches add the password and private key authentication
> > > methods to the ssh block driver, using secure objects for
> > > passwords/passphrases.
> > 
> > I was attempting to test this but couldn't work out the full command
> > line to use it (with qemu-img).  I got as far as:
> > 
> > $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> > 
> > I guess the secret should be specified using --object, but at that
> > point I gave up.
> 
> Almost there :) add e.g.
>   --object 'secret,id=sec0,file=passwd'
> as parameter for the convert command (so after it, not before), and then
> set 'sec0' as value for file.password-secret.  Of course 'sec0' is
> arbitrary, any other QEMU id will do.
> 
> A long helpful comment in include/crypto/secret.h explains the basics
> of the crypto objects.

OK, the password part of this patch does work, so:

Tested-by: Richard W.M. Jones <rjones@redhat.com>

Rich.
Eric Blake July 26, 2019, 3:06 p.m. UTC | #4
On 7/26/19 9:45 AM, Pino Toscano wrote:
> On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
>> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
>>> These two patches add the password and private key authentication
>>> methods to the ssh block driver, using secure objects for
>>> passwords/passphrases.
>>
>> I was attempting to test this but couldn't work out the full command
>> line to use it (with qemu-img).  I got as far as:
>>
>> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
>>
>> I guess the secret should be specified using --object, but at that
>> point I gave up.
> 
> Almost there :) add e.g.
>   --object 'secret,id=sec0,file=passwd'
> as parameter for the convert command (so after it, not before), and then
> set 'sec0' as value for file.password-secret.  Of course 'sec0' is
> arbitrary, any other QEMU id will do.
> 
> A long helpful comment in include/crypto/secret.h explains the basics
> of the crypto objects.

That is useful information, but even more useful if you amend the commit
message to include a working example command line rather than making
readers chase down the docs :)

Untested, but piecing together what I know from my work on qemu-nbd
encryption, it seems like this should be a starting point for such a
command:

qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
  driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
  /var/tmp/copy
Richard W.M. Jones July 26, 2019, 3:35 p.m. UTC | #5
On Fri, Jul 26, 2019 at 10:06:43AM -0500, Eric Blake wrote:
> On 7/26/19 9:45 AM, Pino Toscano wrote:
> > On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> >> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> >>> These two patches add the password and private key authentication
> >>> methods to the ssh block driver, using secure objects for
> >>> passwords/passphrases.
> >>
> >> I was attempting to test this but couldn't work out the full command
> >> line to use it (with qemu-img).  I got as far as:
> >>
> >> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> >>
> >> I guess the secret should be specified using --object, but at that
> >> point I gave up.
> > 
> > Almost there :) add e.g.
> >   --object 'secret,id=sec0,file=passwd'
> > as parameter for the convert command (so after it, not before), and then
> > set 'sec0' as value for file.password-secret.  Of course 'sec0' is
> > arbitrary, any other QEMU id will do.
> > 
> > A long helpful comment in include/crypto/secret.h explains the basics
> > of the crypto objects.
> 
> That is useful information, but even more useful if you amend the commit
> message to include a working example command line rather than making
> readers chase down the docs :)
> 
> Untested, but piecing together what I know from my work on qemu-nbd
> encryption, it seems like this should be a starting point for such a
> command:
> 
> qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
>   driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
>   /var/tmp/copy

--imageopts isn't necessary.  This was the command that worked for me:

unset SSH_AUTH_SOCK; ./qemu-img convert -p --object 'secret,id=sec0,file=/tmp/passwd' 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "sec0" }' /var/tmp/root

Rich.
Daniel P. Berrangé July 26, 2019, 3:43 p.m. UTC | #6
On Fri, Jul 26, 2019 at 04:35:27PM +0100, Richard W.M. Jones wrote:
> On Fri, Jul 26, 2019 at 10:06:43AM -0500, Eric Blake wrote:
> > On 7/26/19 9:45 AM, Pino Toscano wrote:
> > > On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> > >> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > >>> These two patches add the password and private key authentication
> > >>> methods to the ssh block driver, using secure objects for
> > >>> passwords/passphrases.
> > >>
> > >> I was attempting to test this but couldn't work out the full command
> > >> line to use it (with qemu-img).  I got as far as:
> > >>
> > >> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }' /var/tmp/root
> > >>
> > >> I guess the secret should be specified using --object, but at that
> > >> point I gave up.
> > > 
> > > Almost there :) add e.g.
> > >   --object 'secret,id=sec0,file=passwd'
> > > as parameter for the convert command (so after it, not before), and then
> > > set 'sec0' as value for file.password-secret.  Of course 'sec0' is
> > > arbitrary, any other QEMU id will do.
> > > 
> > > A long helpful comment in include/crypto/secret.h explains the basics
> > > of the crypto objects.
> > 
> > That is useful information, but even more useful if you amend the commit
> > message to include a working example command line rather than making
> > readers chase down the docs :)
> > 
> > Untested, but piecing together what I know from my work on qemu-nbd
> > encryption, it seems like this should be a starting point for such a
> > command:
> > 
> > qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
> >   driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
> >   /var/tmp/copy
> 
> --imageopts isn't necessary.  This was the command that worked for me:
> 
> unset SSH_AUTH_SOCK; ./qemu-img convert -p --object 'secret,id=sec0,file=/tmp/passwd' 'json:{ "file.driver": "ssh", "file.host": "devr7", "file.path": "/var/tmp/root", "file.password-secret": "sec0" }' /var/tmp/root

Right you didn't need --imageopts because you used the json filename
syntax.

--imageopts is for telling it to intepret the filename as key,value pairs
as in Eric's example.

json & imageopts syntaxes are equally expressive, so pick which you
prefer.

Regards,
Daniel