From patchwork Fri Jul 26 14:09:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pino Toscano X-Patchwork-Id: 11061169 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A3D9813AC for ; Fri, 26 Jul 2019 14:10:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9007C28ADE for ; Fri, 26 Jul 2019 14:10:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8151928AE1; Fri, 26 Jul 2019 14:10:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id EC0B828AE7 for ; Fri, 26 Jul 2019 14:10:32 +0000 (UTC) Received: from localhost ([::1]:40400 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hr0vX-0005bu-V8 for patchwork-qemu-devel@patchwork.kernel.org; Fri, 26 Jul 2019 10:10:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:37307) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hr0vA-0003zV-Kb for qemu-devel@nongnu.org; Fri, 26 Jul 2019 10:10:09 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hr0v9-0007kr-7V for qemu-devel@nongnu.org; Fri, 26 Jul 2019 10:10:08 -0400 Received: from mx1.redhat.com ([209.132.183.28]:60290) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hr0v6-0007gS-0w; Fri, 26 Jul 2019 10:10:04 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4952C30BC590; Fri, 26 Jul 2019 14:10:03 +0000 (UTC) Received: from lindworm.usersys.redhat.com (unknown [10.43.2.5]) by smtp.corp.redhat.com (Postfix) with ESMTPS id BEA785C6E0; Fri, 26 Jul 2019 14:10:01 +0000 (UTC) From: Pino Toscano To: qemu-devel@nongnu.org, qemu-block@nongnu.org Date: Fri, 26 Jul 2019 16:09:54 +0200 Message-Id: <20190726140954.31921-3-ptoscano@redhat.com> In-Reply-To: <20190726140954.31921-1-ptoscano@redhat.com> References: <20190726140954.31921-1-ptoscano@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.49]); Fri, 26 Jul 2019 14:10:03 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH 2/2] ssh: implement private key authentication X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: kwolf@redhat.com, ptoscano@redhat.com, pkrempa@redhat.com, rjones@redhat.com, mreitz@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Add a 'private-key' option which represents the path of a private key to use for authentication, and 'private-key-secret' as the name of an object with its passphrase. Signed-off-by: Pino Toscano --- block/ssh.c | 98 ++++++++++++++++++++++++++++++++++++ block/trace-events | 1 + docs/qemu-block-drivers.texi | 12 ++++- qapi/block-core.json | 9 +++- 4 files changed, 117 insertions(+), 3 deletions(-) diff --git a/block/ssh.c b/block/ssh.c index 04ae223282..1b7c1f4108 100644 --- a/block/ssh.c +++ b/block/ssh.c @@ -500,6 +500,89 @@ static int check_host_key(BDRVSSHState *s, SshHostKeyCheck *hkc, Error **errp) return -EINVAL; } +static int authenticate_privkey(BDRVSSHState *s, BlockdevOptionsSsh *opts, + Error **errp) +{ + int err; + int ret; + char *pubkey_file = NULL; + ssh_key public_key = NULL; + ssh_key private_key = NULL; + char *passphrase; + + pubkey_file = g_strdup_printf("%s.pub", opts->private_key); + + /* load the private key */ + trace_ssh_auth_key_passphrase(opts->private_key_secret, opts->private_key); + passphrase = qcrypto_secret_lookup_as_utf8(opts->private_key_secret, errp); + if (!passphrase) { + err = SSH_AUTH_ERROR; + goto error; + } + ret = ssh_pki_import_privkey_file(opts->private_key, passphrase, + NULL, NULL, &private_key); + g_free(passphrase); + if (ret == SSH_EOF) { + error_setg(errp, "Cannot read private key '%s'", opts->private_key); + err = SSH_AUTH_ERROR; + goto error; + } else if (ret == SSH_ERROR) { + error_setg(errp, + "Cannot open private key '%s', maybe the passphrase is " + "wrong", + opts->private_key); + err = SSH_AUTH_ERROR; + goto error; + } + + /* try to open the public part of the private key */ + ret = ssh_pki_import_pubkey_file(pubkey_file, &public_key); + if (ret == SSH_ERROR) { + error_setg(errp, "Cannot read public key '%s'", pubkey_file); + err = SSH_AUTH_ERROR; + goto error; + } else if (ret == SSH_EOF) { + /* create the public key from the private key */ + ret = ssh_pki_export_privkey_to_pubkey(private_key, &public_key); + if (ret == SSH_ERROR) { + error_setg(errp, + "Cannot export the public key from the private key " + "'%s'", + opts->private_key); + err = SSH_AUTH_ERROR; + goto error; + } + } + + ret = ssh_userauth_try_publickey(s->session, NULL, public_key); + if (ret != SSH_AUTH_SUCCESS) { + err = SSH_AUTH_DENIED; + goto error; + } + + ret = ssh_userauth_publickey(s->session, NULL, private_key); + if (ret != SSH_AUTH_SUCCESS) { + err = SSH_AUTH_DENIED; + goto error; + } + + ssh_key_free(private_key); + ssh_key_free(public_key); + g_free(pubkey_file); + + return SSH_AUTH_SUCCESS; + + error: + if (private_key) { + ssh_key_free(private_key); + } + if (public_key) { + ssh_key_free(public_key); + } + g_free(pubkey_file); + return err; +} + static int authenticate(BDRVSSHState *s, BlockdevOptionsSsh *opts, Error **errp) { @@ -538,6 +621,21 @@ static int authenticate(BDRVSSHState *s, BlockdevOptionsSsh *opts, ret = 0; goto out; } + + /* + * Try to authenticate with private key, if available. + */ + if (opts->has_private_key && opts->has_private_key_secret) { + r = authenticate_privkey(s, opts, errp); + if (r == SSH_AUTH_ERROR) { + ret = -EINVAL; + goto out; + } else if (r == SSH_AUTH_SUCCESS) { + /* Authenticated! */ + ret = 0; + goto out; + } + } } /* diff --git a/block/trace-events b/block/trace-events index 391aae03e6..ccb51b9992 100644 --- a/block/trace-events +++ b/block/trace-events @@ -187,6 +187,7 @@ ssh_seek(int64_t offset) "seeking to offset=%" PRIi64 ssh_auth_methods(int methods) "auth methods=0x%x" ssh_server_status(int status) "server status=%d" ssh_option_secret_object(const char *path) "using password from object %s" +ssh_auth_key_passphrase(const char *path, const char *key) "using passphrase from object %s for private key %s" # curl.c curl_timer_cb(long timeout_ms) "timer callback timeout_ms %ld" diff --git a/docs/qemu-block-drivers.texi b/docs/qemu-block-drivers.texi index c77ef2dd69..5513bf261c 100644 --- a/docs/qemu-block-drivers.texi +++ b/docs/qemu-block-drivers.texi @@ -774,8 +774,16 @@ tools only use MD5 to print fingerprints). The optional @var{password-secret} parameter provides the ID of a @code{secret} object that contains the password for authenticating. -Currently authentication must be done using ssh-agent, or providing a -password. Other authentication methods may be supported in future. +The optional @var{private-key} parameter provides the path to the +private key for authenticating. + +The optional @var{private-key-secret} parameter provides the ID of a +@code{secret} object that contains the passphrase of the private key +specified as @var{private-key} for authenticating. + +Currently authentication must be done using ssh-agent, providing a +private key with its passphrase, or providing a password. +Other authentication methods may be supported in future. Note: Many ssh servers do not support an @code{fsync}-style operation. The ssh driver cannot guarantee that disk flush requests are diff --git a/qapi/block-core.json b/qapi/block-core.json index 1244562c7b..e873f8934d 100644 --- a/qapi/block-core.json +++ b/qapi/block-core.json @@ -3226,6 +3226,11 @@ # @password-secret: ID of a QCryptoSecret object providing a password # for authentication (since 4.2) # +# @private-key: path to the private key (since 4.2) +# +# @private-key-secret: ID of a QCryptoSecret object providing the passphrase +# for 'private-key' (since 4.2) +# # Since: 2.9 ## { 'struct': 'BlockdevOptionsSsh', @@ -3233,7 +3238,9 @@ 'path': 'str', '*user': 'str', '*host-key-check': 'SshHostKeyCheck', - '*password-secret': 'str' } } + '*password-secret': 'str', + '*private-key': 'str', + '*private-key-secret': 'str' } } ##