From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([208.118.235.92]:32843)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1UPZZn-0004J7-AS
	for qemu-devel@nongnu.org; Tue, 09 Apr 2013 10:31:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1UPZZm-0008HZ-6X
	for qemu-devel@nongnu.org; Tue, 09 Apr 2013 10:31:11 -0400
Received: from mx1.redhat.com ([209.132.183.28]:1123)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rjones@redhat.com>) id 1UPZZl-0008HE-VP
	for qemu-devel@nongnu.org; Tue, 09 Apr 2013 10:31:10 -0400
Received: from int-mx02.intmail.prod.int.phx2.redhat.com
	(int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r39EV9ri001211
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <qemu-devel@nongnu.org>; Tue, 9 Apr 2013 10:31:09 -0400
Received: from choo.home.annexia.org (vpn1-7-80.ams2.redhat.com [10.36.7.80])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id r39EV7pM015410
	for <qemu-devel@nongnu.org>; Tue, 9 Apr 2013 10:31:08 -0400
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue,  9 Apr 2013 15:30:52 +0100
Message-Id: <1365517855-16906-1-git-send-email-rjones@redhat.com>
Subject: [Qemu-devel] [PATCH v9 1/3] block: Add support for Secure Shell
	(ssh) block device.
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: qemu-devel@nongnu.org

Changes since v8:

- Implement the suggestions of Stefan Hajnoczi.

- Add host_key_check parameter, which you can use like this:

  ssh://[...]?host_key_check=no     # skip the check entirely
  ssh://[...]?host_key_check=yes    # the default, uses known_hosts

  # or check for a specific host key fingerprint:
  ssh://[...]?host_key_check=md5:<usual SSH host key fingerprint>
  ssh://[...]?host_key_check=sha1:<SHA1 fingerprint>

Note that I cannot persuade OpenSSH to display the SHA1 fingerprint of
a host key, so sha1: is not tested.

A possible extension to this would be to check for the exact key (not
the fingerprint, which is just a hash of the key), although in this
case the URI would be very long indeed, possibly longer than URIs are
supposed to be in some cases.

Rich.