Re: [Qemu-devel] [PATCH v4] block: Add support for Secure Shell (ssh) block device.

["Richard W.M. Jones" <rjones@redhat.com>]

On Mon, Apr 08, 2013 at 10:21:44PM +0200, Stefan Hajnoczi wrote:
> On Mon, Apr 8, 2013 at 4:58 PM, Stefan Hajnoczi <stefanha@gmail.com> wrote:
> > On Mon, Apr 8, 2013 at 3:05 PM, Richard W.M. Jones <rjones@redhat.com> wrote:
> > From what I can see libssh2 does not support loading .ssh/config.
> 
> I was told that sshfs *does* handle .ssh/config.  Turns out that sshfs
> spawns "ssh -s sftp" to get a SFTP subsystem channel.  Then it
> directly implements the SFTP application protocol.
> 
> This way they don't need to link against libssh2.  They spawn ssh with
> a socketpair on stdin/stdout.  They send/receive SFTP messages
> directly.

Indeed, as I mentioned in an earlier message, sshfs implements the
complete SFTP stack itself and uses an external ssh process.

It's up to 5 times as much code to do so:

sshfs-fuse-2.4$ wc -l *.c
   589 cache.c
  3930 sshfs.c
    18 sshnodelay.c
  4537 total

qemu/block$ wc -l ssh.c
914 ssh.c

I don't think having an entire SFTP stack inside qemu would help.

> I just hit a libssh2 limitation.  In my .ssh/config I have:
> NoHostAuthenticationForLocalhost yes
> 
> This stops ssh from complaining when I hope to another host through an
> ssh tunnel (the host key wouldn't match localhost).

I'm using the ssh configuration attached for tunnelling through
another host.  It doesn't require toggling
'NoHostAuthenticationForLocalhost', and so is safer because it still
does host key checking.

I think a better and simpler way to solve this is simply to allow URLs
like:

  ssh://localhost/path?host_key_check=no

which is the same as NoHostAuthenticationForLocalhost (ie don't do any
host checking on this connection).

Even better would be to let people specify the key:

  ssh://localhost/path?host_key_check=aa:bb:cc:dd:ee:ff

This means that management applications can parse .ssh/config if they
feel like doing that.

Rich.

----------------------------------------------------------------------

My ssh tunnelling configuration:

Host tunnelled-host
  PreferredAuthentications publickey,keyboard-interactive,password
  ProxyCommand ssh -T -o ForwardAgent=yes proxy nc %h %p
Host proxy
  HostName proxy.example.com

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top