From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([208.118.235.92]:56043) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UPT16-0001ly-E0 for qemu-devel@nongnu.org; Tue, 09 Apr 2013 03:30:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UPT0z-0008RF-Ok for qemu-devel@nongnu.org; Tue, 09 Apr 2013 03:30:56 -0400 Received: from mx1.redhat.com ([209.132.183.28]:18129) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UPT0z-0008R2-FS for qemu-devel@nongnu.org; Tue, 09 Apr 2013 03:30:49 -0400 Date: Tue, 9 Apr 2013 08:30:44 +0100 From: "Richard W.M. Jones" Message-ID: <20130409073044.GG1461@rhmail.home.annexia.org> References: <1364399849-5518-1-git-send-email-rjones@redhat.com> <1364399849-5518-2-git-send-email-rjones@redhat.com> <20130328104732.GA15114@stefanha-thinkpad.redhat.com> <20130403221430.GA1464@rhmail.home.annexia.org> <20130408113728.GD12852@stefanha-thinkpad.redhat.com> <20130408130506.GD1461@rhmail.home.annexia.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [Qemu-devel] [PATCH v4] block: Add support for Secure Shell (ssh) block device. List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: qemu-devel On Mon, Apr 08, 2013 at 10:21:44PM +0200, Stefan Hajnoczi wrote: > On Mon, Apr 8, 2013 at 4:58 PM, Stefan Hajnoczi wrote: > > On Mon, Apr 8, 2013 at 3:05 PM, Richard W.M. Jones wrote: > > From what I can see libssh2 does not support loading .ssh/config. > > I was told that sshfs *does* handle .ssh/config. Turns out that sshfs > spawns "ssh -s sftp" to get a SFTP subsystem channel. Then it > directly implements the SFTP application protocol. > > This way they don't need to link against libssh2. They spawn ssh with > a socketpair on stdin/stdout. They send/receive SFTP messages > directly. Indeed, as I mentioned in an earlier message, sshfs implements the complete SFTP stack itself and uses an external ssh process. It's up to 5 times as much code to do so: sshfs-fuse-2.4$ wc -l *.c 589 cache.c 3930 sshfs.c 18 sshnodelay.c 4537 total qemu/block$ wc -l ssh.c 914 ssh.c I don't think having an entire SFTP stack inside qemu would help. > I just hit a libssh2 limitation. In my .ssh/config I have: > NoHostAuthenticationForLocalhost yes > > This stops ssh from complaining when I hope to another host through an > ssh tunnel (the host key wouldn't match localhost). I'm using the ssh configuration attached for tunnelling through another host. It doesn't require toggling 'NoHostAuthenticationForLocalhost', and so is safer because it still does host key checking. I think a better and simpler way to solve this is simply to allow URLs like: ssh://localhost/path?host_key_check=no which is the same as NoHostAuthenticationForLocalhost (ie don't do any host checking on this connection). Even better would be to let people specify the key: ssh://localhost/path?host_key_check=aa:bb:cc:dd:ee:ff This means that management applications can parse .ssh/config if they feel like doing that. Rich. ---------------------------------------------------------------------- My ssh tunnelling configuration: Host tunnelled-host PreferredAuthentications publickey,keyboard-interactive,password ProxyCommand ssh -T -o ForwardAgent=yes proxy nc %h %p Host proxy HostName proxy.example.com -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top