[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 0/2] ssh: add password and privkey auth methods
From: |
Daniel P . Berrangé |
Subject: |
Re: [Qemu-devel] [PATCH 0/2] ssh: add password and privkey auth methods |
Date: |
Fri, 26 Jul 2019 16:43:46 +0100 |
User-agent: |
Mutt/1.12.0 (2019-05-25) |
On Fri, Jul 26, 2019 at 04:35:27PM +0100, Richard W.M. Jones wrote:
> On Fri, Jul 26, 2019 at 10:06:43AM -0500, Eric Blake wrote:
> > On 7/26/19 9:45 AM, Pino Toscano wrote:
> > > On Friday, 26 July 2019 16:27:11 CEST Richard W.M. Jones wrote:
> > >> On Fri, Jul 26, 2019 at 04:09:52PM +0200, Pino Toscano wrote:
> > >>> These two patches add the password and private key authentication
> > >>> methods to the ssh block driver, using secure objects for
> > >>> passwords/passphrases.
> > >>
> > >> I was attempting to test this but couldn't work out the full command
> > >> line to use it (with qemu-img). I got as far as:
> > >>
> > >> $ ./qemu-img convert -p 'json:{ "file.driver": "ssh", "file.host":
> > >> "devr7", "file.path": "/var/tmp/root", "file.password-secret": "..." }'
> > >> /var/tmp/root
> > >>
> > >> I guess the secret should be specified using --object, but at that
> > >> point I gave up.
> > >
> > > Almost there :) add e.g.
> > > --object 'secret,id=sec0,file=passwd'
> > > as parameter for the convert command (so after it, not before), and then
> > > set 'sec0' as value for file.password-secret. Of course 'sec0' is
> > > arbitrary, any other QEMU id will do.
> > >
> > > A long helpful comment in include/crypto/secret.h explains the basics
> > > of the crypto objects.
> >
> > That is useful information, but even more useful if you amend the commit
> > message to include a working example command line rather than making
> > readers chase down the docs :)
> >
> > Untested, but piecing together what I know from my work on qemu-nbd
> > encryption, it seems like this should be a starting point for such a
> > command:
> >
> > qemu-img convert -p --imageopts --object secret,id=sec0,file=passwd \
> > driver=ssh,host=devr7,path=/var/tmp/root,password-secret=sec0 \
> > /var/tmp/copy
>
> --imageopts isn't necessary. This was the command that worked for me:
>
> unset SSH_AUTH_SOCK; ./qemu-img convert -p --object
> 'secret,id=sec0,file=/tmp/passwd' 'json:{ "file.driver": "ssh", "file.host":
> "devr7", "file.path": "/var/tmp/root", "file.password-secret": "sec0" }'
> /var/tmp/root
Right you didn't need --imageopts because you used the json filename
syntax.
--imageopts is for telling it to intepret the filename as key,value pairs
as in Eric's example.
json & imageopts syntaxes are equally expressive, so pick which you
prefer.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|