From: Pino Toscano <ptoscano@redhat.com>
To: qemu-devel@nongnu.org, qemu-block@nongnu.org
Cc: kwolf@redhat.com, ptoscano@redhat.com, pkrempa@redhat.com,
rjones@redhat.com, mreitz@redhat.com
Subject: [Qemu-devel] [PATCH 1/2] ssh: implement password authentication
Date: Fri, 26 Jul 2019 16:09:53 +0200 [thread overview]
Message-ID: <20190726140954.31921-2-ptoscano@redhat.com> (raw)
In-Reply-To: <20190726140954.31921-1-ptoscano@redhat.com>
Add a 'password-secret' option which represents the name of an object
with the password of the user.
Signed-off-by: Pino Toscano <ptoscano@redhat.com>
---
block/ssh.c | 35 ++++++++++++++++++++++++++++++++---
block/trace-events | 1 +
docs/qemu-block-drivers.texi | 7 +++++--
qapi/block-core.json | 6 +++++-
tests/qemu-iotests/207.out | 2 +-
5 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/block/ssh.c b/block/ssh.c
index 501933b855..04ae223282 100644
--- a/block/ssh.c
+++ b/block/ssh.c
@@ -43,6 +43,7 @@
#include "qapi/qmp/qstring.h"
#include "qapi/qobject-input-visitor.h"
#include "qapi/qobject-output-visitor.h"
+#include "crypto/secret.h"
#include "trace.h"
/*
@@ -499,7 +500,8 @@ static int check_host_key(BDRVSSHState *s, SshHostKeyCheck *hkc, Error **errp)
return -EINVAL;
}
-static int authenticate(BDRVSSHState *s, Error **errp)
+static int authenticate(BDRVSSHState *s, BlockdevOptionsSsh *opts,
+ Error **errp)
{
int r, ret;
int method;
@@ -538,9 +540,35 @@ static int authenticate(BDRVSSHState *s, Error **errp)
}
}
+ /*
+ * Try to authenticate with password, if available.
+ */
+ if (method & SSH_AUTH_METHOD_PASSWORD && opts->has_password_secret) {
+ char *password;
+
+ trace_ssh_option_secret_object(opts->password_secret);
+ password = qcrypto_secret_lookup_as_utf8(opts->password_secret, errp);
+ if (!password) {
+ ret = -EINVAL;
+ goto out;
+ }
+ r = ssh_userauth_password(s->session, NULL, password);
+ g_free(password);
+ if (r == SSH_AUTH_ERROR) {
+ ret = -EINVAL;
+ session_error_setg(errp, s, "failed to authenticate using "
+ "password authentication");
+ goto out;
+ } else if (r == SSH_AUTH_SUCCESS) {
+ /* Authenticated! */
+ ret = 0;
+ goto out;
+ }
+ }
+
ret = -EPERM;
error_setg(errp, "failed to authenticate using publickey authentication "
- "and the identities held by your ssh-agent");
+ "and the identities held by your ssh-agent, or using password");
out:
return ret;
@@ -785,7 +813,7 @@ static int connect_to_ssh(BDRVSSHState *s, BlockdevOptionsSsh *opts,
}
/* Authenticate. */
- ret = authenticate(s, errp);
+ ret = authenticate(s, opts, errp);
if (ret < 0) {
goto err;
}
@@ -1376,6 +1404,7 @@ static const char *const ssh_strong_runtime_opts[] = {
"user",
"host_key_check",
"server.",
+ "password-secret",
NULL
};
diff --git a/block/trace-events b/block/trace-events
index d724df0117..391aae03e6 100644
--- a/block/trace-events
+++ b/block/trace-events
@@ -186,6 +186,7 @@ ssh_write_return(ssize_t ret, int sftp_err) "sftp_write returned %zd (sftp error
ssh_seek(int64_t offset) "seeking to offset=%" PRIi64
ssh_auth_methods(int methods) "auth methods=0x%x"
ssh_server_status(int status) "server status=%d"
+ssh_option_secret_object(const char *path) "using password from object %s"
# curl.c
curl_timer_cb(long timeout_ms) "timer callback timeout_ms %ld"
diff --git a/docs/qemu-block-drivers.texi b/docs/qemu-block-drivers.texi
index 91ab0eceae..c77ef2dd69 100644
--- a/docs/qemu-block-drivers.texi
+++ b/docs/qemu-block-drivers.texi
@@ -771,8 +771,11 @@ matches a specific fingerprint:
(@code{sha1:} can also be used as a prefix, but note that OpenSSH
tools only use MD5 to print fingerprints).
-Currently authentication must be done using ssh-agent. Other
-authentication methods may be supported in future.
+The optional @var{password-secret} parameter provides the ID of a
+@code{secret} object that contains the password for authenticating.
+
+Currently authentication must be done using ssh-agent, or providing a
+password. Other authentication methods may be supported in future.
Note: Many ssh servers do not support an @code{fsync}-style operation.
The ssh driver cannot guarantee that disk flush requests are
diff --git a/qapi/block-core.json b/qapi/block-core.json
index 0d43d4f37c..1244562c7b 100644
--- a/qapi/block-core.json
+++ b/qapi/block-core.json
@@ -3223,13 +3223,17 @@
# @host-key-check: Defines how and what to check the host key against
# (default: known_hosts)
#
+# @password-secret: ID of a QCryptoSecret object providing a password
+# for authentication (since 4.2)
+#
# Since: 2.9
##
{ 'struct': 'BlockdevOptionsSsh',
'data': { 'server': 'InetSocketAddress',
'path': 'str',
'*user': 'str',
- '*host-key-check': 'SshHostKeyCheck' } }
+ '*host-key-check': 'SshHostKeyCheck',
+ '*password-secret': 'str' } }
##
diff --git a/tests/qemu-iotests/207.out b/tests/qemu-iotests/207.out
index 1239d9d648..5bfdf626b9 100644
--- a/tests/qemu-iotests/207.out
+++ b/tests/qemu-iotests/207.out
@@ -74,7 +74,7 @@ Job failed: failed to open remote file '/this/is/not/an/existing/path': SFTP ser
{"execute": "blockdev-create", "arguments": {"job-id": "job0", "options": {"driver": "ssh", "location": {"host-key-check": {"mode": "none"}, "path": "TEST_DIR/PID-t.img", "server": {"host": "127.0.0.1", "port": "22"}, "user": "invalid user"}, "size": 4194304}}}
{"return": {}}
-Job failed: failed to authenticate using publickey authentication and the identities held by your ssh-agent
+Job failed: failed to authenticate using publickey authentication and the identities held by your ssh-agent, or using password
{"execute": "job-dismiss", "arguments": {"id": "job0"}}
{"return": {}}
--
2.21.0
next prev parent reply other threads:[~2019-07-26 14:10 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 14:09 [Qemu-devel] [PATCH 0/2] ssh: add password and privkey auth methods Pino Toscano
2019-07-26 14:09 ` Pino Toscano [this message]
2019-07-26 14:09 ` [Qemu-devel] [PATCH 2/2] ssh: implement private key authentication Pino Toscano
2019-07-26 14:24 ` Eric Blake
2019-07-26 14:29 ` Richard W.M. Jones
2019-07-29 8:00 ` Pino Toscano
2019-07-29 10:57 ` Markus Armbruster
2019-07-29 11:21 ` Pino Toscano
2019-07-29 15:10 ` Markus Armbruster
2019-07-29 11:08 ` Kevin Wolf
2019-08-12 21:08 ` Max Reitz
2019-08-12 21:22 ` Eric Blake
2019-07-26 14:27 ` [Qemu-devel] [PATCH 0/2] ssh: add password and privkey auth methods Richard W.M. Jones
2019-07-26 14:45 ` Pino Toscano
2019-07-26 14:50 ` Richard W.M. Jones
2019-07-26 15:06 ` Eric Blake
2019-07-26 15:35 ` Richard W.M. Jones
2019-07-26 15:43 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726140954.31921-2-ptoscano@redhat.com \
--to=ptoscano@redhat.com \
--cc=kwolf@redhat.com \
--cc=mreitz@redhat.com \
--cc=pkrempa@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).