From: Kevin Wolf <kwolf@redhat.com>
To: qemu-block@nongnu.org
Cc: kwolf@redhat.com, mreitz@redhat.com, pkrempa@redhat.com,
eblake@redhat.com, jcody@redhat.com, jdurgin@redhat.com,
mitake.hitoshi@lab.ntt.co.jp, namei.unix@gmail.com,
qemu-devel@nongnu.org
Subject: [Qemu-devel] [PATCH v3 30/36] ssh: QAPIfy host-key-check option
Date: Fri, 23 Feb 2018 20:25:43 +0100 [thread overview]
Message-ID: <20180223192549.26666-31-kwolf@redhat.com> (raw)
In-Reply-To: <20180223192549.26666-1-kwolf@redhat.com>
This makes the host-key-check option available in blockdev-add.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
---
qapi/block-core.json | 63 +++++++++++++++++++++++++++++++++++--
block/ssh.c | 88 +++++++++++++++++++++++++++++++++-------------------
2 files changed, 117 insertions(+), 34 deletions(-)
diff --git a/qapi/block-core.json b/qapi/block-core.json
index f7679fce53..431d4a4fb2 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -2553,6 +2553,63 @@
'*encrypt': 'BlockdevQcow2Encryption' } }
##
+# @SshHostKeyCheckMode:
+#
+# @none Don't check the host key at all
+# @hash Compare the host key with a given hash
+# @known_hosts Check the host key against the known_hosts file
+#
+# Since: 2.12
+##
+{ 'enum': 'SshHostKeyCheckMode',
+ 'data': [ 'none', 'hash', 'known_hosts' ] }
+
+##
+# @SshHostKeyCheckHashType:
+#
+# @md5 The given hash is an md5 hash
+# @sha1 The given hash is an sha1 hash
+#
+# Since: 2.12
+##
+{ 'enum': 'SshHostKeyCheckHashType',
+ 'data': [ 'md5', 'sha1' ] }
+
+##
+# @SshHostKeyHash:
+#
+# @type The hash algorithm used for the hash
+# @hash The expected hash value
+#
+# Since: 2.12
+##
+{ 'struct': 'SshHostKeyHash',
+ 'data': { 'type': 'SshHostKeyCheckHashType',
+ 'hash': 'str' }}
+
+##
+# @SshHostKeyDummy:
+#
+# For those union branches that don't need additional fields.
+#
+# Since: 2.12
+##
+{ 'struct': 'SshHostKeyDummy',
+ 'data': {} }
+
+##
+# @SshHostKeyCheck:
+#
+# Since: 2.12
+##
+{ 'union': 'SshHostKeyCheck',
+ 'base': { 'mode': 'SshHostKeyCheckMode' },
+ 'discriminator': 'mode',
+ 'data': { 'none': 'SshHostKeyDummy',
+ 'hash': 'SshHostKeyHash',
+ 'known_hosts': 'SshHostKeyDummy' } }
+
+##
# @BlockdevOptionsSsh:
#
# @server: host address
@@ -2562,14 +2619,16 @@
# @user: user as which to connect, defaults to current
# local user name
#
-# TODO: Expose the host_key_check option in QMP
+# @host-key-check: Defines how and what to check the host key against
+# (default: known_hosts)
#
# Since: 2.9
##
{ 'struct': 'BlockdevOptionsSsh',
'data': { 'server': 'InetSocketAddress',
'path': 'str',
- '*user': 'str' } }
+ '*user': 'str',
+ '*host-key-check': 'SshHostKeyCheck' } }
##
diff --git a/block/ssh.c b/block/ssh.c
index 9a89b7f350..dcf766c213 100644
--- a/block/ssh.c
+++ b/block/ssh.c
@@ -430,31 +430,35 @@ check_host_key_hash(BDRVSSHState *s, const char *hash,
}
static int check_host_key(BDRVSSHState *s, const char *host, int port,
- const char *host_key_check, Error **errp)
+ SshHostKeyCheck *hkc, Error **errp)
{
- /* host_key_check=no */
- if (strcmp(host_key_check, "no") == 0) {
- return 0;
- }
+ SshHostKeyCheckMode mode;
- /* host_key_check=md5:xx:yy:zz:... */
- if (strncmp(host_key_check, "md5:", 4) == 0) {
- return check_host_key_hash(s, &host_key_check[4],
- LIBSSH2_HOSTKEY_HASH_MD5, 16, errp);
- }
-
- /* host_key_check=sha1:xx:yy:zz:... */
- if (strncmp(host_key_check, "sha1:", 5) == 0) {
- return check_host_key_hash(s, &host_key_check[5],
- LIBSSH2_HOSTKEY_HASH_SHA1, 20, errp);
+ if (hkc) {
+ mode = hkc->mode;
+ } else {
+ mode = SSH_HOST_KEY_CHECK_MODE_KNOWN_HOSTS;
}
- /* host_key_check=yes */
- if (strcmp(host_key_check, "yes") == 0) {
+ switch (mode) {
+ case SSH_HOST_KEY_CHECK_MODE_NONE:
+ return 0;
+ case SSH_HOST_KEY_CHECK_MODE_HASH:
+ if (hkc->u.hash.type == SSH_HOST_KEY_CHECK_HASH_TYPE_MD5) {
+ return check_host_key_hash(s, hkc->u.hash.hash,
+ LIBSSH2_HOSTKEY_HASH_MD5, 16, errp);
+ } else if (hkc->u.hash.type == SSH_HOST_KEY_CHECK_HASH_TYPE_SHA1) {
+ return check_host_key_hash(s, hkc->u.hash.hash,
+ LIBSSH2_HOSTKEY_HASH_SHA1, 20, errp);
+ }
+ g_assert_not_reached();
+ break;
+ case SSH_HOST_KEY_CHECK_MODE_KNOWN_HOSTS:
return check_host_key_knownhosts(s, host, port, errp);
+ default:
+ g_assert_not_reached();
}
- error_setg(errp, "unknown host_key_check setting (%s)", host_key_check);
return -EINVAL;
}
@@ -543,16 +547,22 @@ static QemuOptsList ssh_runtime_opts = {
.type = QEMU_OPT_NUMBER,
.help = "Port to connect to",
},
+ {
+ .name = "host_key_check",
+ .type = QEMU_OPT_STRING,
+ .help = "Defines how and what to check the host key against",
+ },
{ /* end of list */ }
},
};
-static bool ssh_process_legacy_socket_options(QDict *output_opts,
- QemuOpts *legacy_opts,
- Error **errp)
+static bool ssh_process_legacy_options(QDict *output_opts,
+ QemuOpts *legacy_opts,
+ Error **errp)
{
const char *host = qemu_opt_get(legacy_opts, "host");
const char *port = qemu_opt_get(legacy_opts, "port");
+ const char *host_key_check = qemu_opt_get(legacy_opts, "host_key_check");
if (!host && port) {
error_setg(errp, "port may not be used without host");
@@ -564,6 +574,28 @@ static bool ssh_process_legacy_socket_options(QDict *output_opts,
qdict_put_str(output_opts, "server.port", port ?: stringify(22));
}
+ if (host_key_check) {
+ if (strcmp(host_key_check, "no") == 0) {
+ qdict_put_str(output_opts, "host-key-check.mode", "none");
+ } else if (strncmp(host_key_check, "md5:", 4) == 0) {
+ qdict_put_str(output_opts, "host-key-check.mode", "hash");
+ qdict_put_str(output_opts, "host-key-check.type", "md5");
+ qdict_put_str(output_opts, "host-key-check.hash",
+ &host_key_check[4]);
+ } else if (strncmp(host_key_check, "sha1:", 5) == 0) {
+ qdict_put_str(output_opts, "host-key-check.mode", "hash");
+ qdict_put_str(output_opts, "host-key-check.type", "sha1");
+ qdict_put_str(output_opts, "host-key-check.hash",
+ &host_key_check[5]);
+ } else if (strcmp(host_key_check, "yes") == 0) {
+ qdict_put_str(output_opts, "host-key-check.mode", "known_hosts");
+ } else {
+ error_setg(errp, "unknown host_key_check setting (%s)",
+ host_key_check);
+ return false;
+ }
+ }
+
return true;
}
@@ -584,7 +616,7 @@ static BlockdevOptionsSsh *ssh_parse_options(QDict *options, Error **errp)
goto fail;
}
- if (!ssh_process_legacy_socket_options(options, opts, errp)) {
+ if (!ssh_process_legacy_options(options, opts, errp)) {
goto fail;
}
@@ -628,16 +660,9 @@ static int connect_to_ssh(BDRVSSHState *s, QDict *options,
{
BlockdevOptionsSsh *opts;
int r, ret;
- const char *user, *host_key_check;
+ const char *user;
long port = 0;
- host_key_check = qdict_get_try_str(options, "host_key_check");
- if (!host_key_check) {
- host_key_check = "yes";
- } else {
- qdict_del(options, "host_key_check");
- }
-
opts = ssh_parse_options(options, errp);
if (opts == NULL) {
return -EINVAL;
@@ -691,8 +716,7 @@ static int connect_to_ssh(BDRVSSHState *s, QDict *options,
}
/* Check the remote host's key against known_hosts. */
- ret = check_host_key(s, s->inet->host, port, host_key_check,
- errp);
+ ret = check_host_key(s, s->inet->host, port, opts->host_key_check, errp);
if (ret < 0) {
goto err;
}
--
2.13.6
next prev parent reply other threads:[~2018-02-23 19:27 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-23 19:25 [Qemu-devel] [PATCH v3 00/36] x-blockdev-create for protocols and qcow2 Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 01/36] block/qapi: Introduce BlockdevCreateOptions Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 02/36] block/qapi: Add qcow2 create options to schema Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 03/36] qcow2: Let qcow2_create() handle protocol layer Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 04/36] qcow2: Pass BlockdevCreateOptions to qcow2_create2() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 05/36] qcow2: Use BlockdevRef in qcow2_create2() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 06/36] qcow2: Use QCryptoBlockCreateOptions " Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 07/36] qcow2: Handle full/falloc preallocation " Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 08/36] util: Add qemu_opts_to_qdict_filtered() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 09/36] test-qemu-opts: Test qemu_opts_append() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 10/36] test-qemu-opts: Test qemu_opts_to_qdict_filtered() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 11/36] qdict: Introduce qdict_rename_keys() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 12/36] qcow2: Use visitor for options in qcow2_create() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 13/36] block: Make bdrv_is_whitelisted() public Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 14/36] block: x-blockdev-create QMP command Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 15/36] file-posix: Support .bdrv_co_create Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 16/36] file-win32: " Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 17/36] gluster: " Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 18/36] rbd: Fix use after free in qemu_rbd_set_keypairs() error path Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 19/36] rbd: Factor out qemu_rbd_connect() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 20/36] rbd: Remove non-schema options from runtime_opts Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 21/36] rbd: Pass BlockdevOptionsRbd to qemu_rbd_connect() Kevin Wolf
2018-02-26 12:23 ` Max Reitz
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 22/36] rbd: Support .bdrv_co_create Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 23/36] rbd: Assign s->snap/image_name in qemu_rbd_open() Kevin Wolf
2018-02-26 12:24 ` Max Reitz
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 24/36] rbd: Use qemu_rbd_connect() in qemu_rbd_do_create() Kevin Wolf
2018-02-26 12:25 ` Max Reitz
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 25/36] nfs: Use QAPI options in nfs_client_open() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 26/36] nfs: Support .bdrv_co_create Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 27/36] sheepdog: QAPIfy "redundancy" create option Kevin Wolf
2018-02-26 12:28 ` Max Reitz
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 28/36] sheepdog: Support .bdrv_co_create Kevin Wolf
2018-02-26 12:30 ` Max Reitz
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 29/36] ssh: Use QAPI BlockdevOptionsSsh object Kevin Wolf
2018-02-23 19:25 ` Kevin Wolf [this message]
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 31/36] ssh: Pass BlockdevOptionsSsh to connect_to_ssh() Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 32/36] ssh: Support .bdrv_co_create Kevin Wolf
2018-02-26 12:43 ` Max Reitz
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 33/36] file-posix: Fix no-op bdrv_truncate() with falloc preallocation Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 34/36] block: Fail bdrv_truncate() with negative size Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 35/36] qemu-iotests: Test qcow2 over file image creation with QMP Kevin Wolf
2018-02-23 19:25 ` [Qemu-devel] [PATCH v3 36/36] qemu-iotests: Test ssh image creation over QMP Kevin Wolf
2018-02-26 12:55 ` Max Reitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180223192549.26666-31-kwolf@redhat.com \
--to=kwolf@redhat.com \
--cc=eblake@redhat.com \
--cc=jcody@redhat.com \
--cc=jdurgin@redhat.com \
--cc=mitake.hitoshi@lab.ntt.co.jp \
--cc=mreitz@redhat.com \
--cc=namei.unix@gmail.com \
--cc=pkrempa@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).