From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50100) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bxbkz-000596-29 for qemu-devel@nongnu.org; Fri, 21 Oct 2016 11:29:18 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bxbky-0002zE-8Z for qemu-devel@nongnu.org; Fri, 21 Oct 2016 11:29:17 -0400 From: Pino Toscano Date: Fri, 21 Oct 2016 17:28:54 +0200 Message-ID: <31459330.JxrQNaP2yV@thyrus.usersys.redhat.com> In-Reply-To: <20161021112539.GM6585@redhat.com> References: <1477048571-29592-1-git-send-email-ptoscano@redhat.com> <20161021112539.GM6585@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2336754.6h4gm38E1V"; micalg="pgp-sha256"; protocol="application/pgp-signature" Subject: Re: [Qemu-devel] [PATCH v2] ssh: switch from libssh2 to libssh List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: "Daniel P. Berrange" Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org, kwolf@redhat.com, jcody@redhat.com, rjones@redhat.com, mreitz@redhat.com --nextPart2336754.6h4gm38E1V Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" On Friday, 21 October 2016 12:25:40 CEST Daniel P. Berrange wrote: > On Fri, Oct 21, 2016 at 01:16:11PM +0200, Pino Toscano wrote: > > Rewrite the implementation of the ssh block driver to use libssh instead > > of libssh2. The libssh library has various advantages over libssh2: > > - easier API for authentication (for example for using ssh-agent) > > - easier API for known_hosts handling > > - supports newer types of keys in known_hosts > > > > Kerberos authentication can be enabled once the libssh bug for it [1] is > > fixed. > > IIUC from the code this relies on QEMU being able to talk to an ssh > agent to do public key auth. Is there a way to directly provide the > passphase for the private key (avoiding need for an agent), or to > provide a plani password to libssh ? Yes, both are supported by libssh. > If so, you could use the QEMU 'secret' object type to provide these > passphrases & passwords to QEMU, which can in turn pass them to > libssh. > > Avoiding the need for ssh agent in this way would make it possible > to use this driver with libvirt in more circumstances. > > eg for plain passwords you could do > > $QEMU -object secret,id=sec0,data=mypassword > -drive driver=ssh,....,password-secret=sec0 > > while for private key passphrases > > $QEMU -object secret,id=sec0,data=mypassphrase > -drive driver=ssh,....,key-passphrase-secret=sec0 > > > No need to do this all as part of this patch though - it'd be cleaner to > do this as a separate patch Right, good idea. Thanks, -- Pino Toscano --nextPart2336754.6h4gm38E1V Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAABCAAGBQJYCjQ2AAoJEMPRTC2YZDfNs8QP/jG4P2c6nP25aDjlA5/LymDX EzjV/GLFwz8EnD1ffa2NJCcRlPlY+K2lPtFYsxdfheG6OaPVj95PNkbpB/Zi3Zbm onCvgoPOm86dIlv/ey7cr0gpeHnweZkQcupBM3MMzXjNR71iCQX/bhEaPbLzfRBA 1B7KGUvXmChcLha9DAaCsBjH/3gST6bNIGyF59a4uz5ns+NhCYbpEixeL59jk7VB CTy8YbAr723L4tlHw6vc/mmC5IhkzcRQ8NS/vkwugoCW3lWQq7nRByc/Tz7sN/ty Dmk6EymJ9kQa5sovJ4z3fBDs/R89CTaxOKQBRL5HXvZAvKSCG69+9+EEJpWiOYqy WnhGZLMRvL1d2JCFvylOqhiRzVw7MV212DG61OEQPK5Qe/uZGYVT8kFP4ufMyK6N 1uu8pFZnpMistdiqC9dgCHi+3WbYU8O8qn+AKlCAoc7Rrh9mjb8vom0oI8cRTiPZ W0YIVrKW+0fStNxc5qy9UubdRSDiruNaa7EPwJn9QsRd4sAzIMhqGn3VZ5Q7rh29 3rQmV+Fz0dJAssatRK59Zird0xBiAb1DzLB+gKlKBTr2TpX0lRtaQiZPGm45Rph6 och/leDorJGvkOpsefyegg4gpUiRweMMGjsYxF9RLvxq6ztU1QXNWWrRtHeIbP8m 9THhkS6qqpldz28+A269 =Ci0R -----END PGP SIGNATURE----- --nextPart2336754.6h4gm38E1V--