remote/ssh: support for no_verify.

Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified.  This won't disable host key
checking for already known hosts.  Includes a test and documentation.

diff --git a/AUTHORS b/AUTHORS
index 4b200d00ea7aab19ec4523150d1be11cfa49a1f8..4b16a2ca70531050dbd5948b999b3607e1abf8ff 100644 (file)
--- a/AUTHORS
+++ b/AUTHORS
@@ -184,6 +184,7 @@ Patches have also been contributed by:
   John Williams        <john.williams@petalogix.com>
   Michael Santos       <michael.santos@gmail.com>
   Alex Jia             <ajia@redhat.com>
+  Oskari Saarenmaa     <os@ohmu.fi>
 
   [....send patches to get your name here....]
 

diff --git a/docs/remote.html.in b/docs/remote.html.in
index f6a0683135d0733a612cb889a892bd93b11d3355..39d65aaabe9d74bdee83a6c8ab30504081ff9b66 100644 (file)
--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -279,9 +279,14 @@ Note that parameter values must be
         <td>
           <code>no_verify</code>
         </td>
-        <td> tls </td>
-        <td>
-  If set to a non-zero value, this disables client checks of the
+        <td> ssh, tls </td>
+        <td>
+  SSH: If set to a non-zero value, this disables client's strict host key
+  checking making it auto-accept new host keys.  Existing host keys will
+  still be validated.
+  <br/>
+  <br/>
+  TLS: If set to a non-zero value, this disables client checks of the
   server's certificate.  Note that to disable server checks of
   the client's certificate or IP address you must
   <a href="#Remote_libvirtd_configuration">change the libvirtd

diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c
index 5c0457e200a2f78a4649e2fe0b6f8828aa857752..6921c153f53ee271f6a75c39fa7b316091629b4a 100644 (file)
--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
                                                 command,
                                                 username,
                                                 no_tty,
+                                                no_verify,
                                                 netcat ? netcat : "nc",
                                                 sockname)))
             goto failed;

diff --git a/src/rpc/virnetclient.c b/src/rpc/virnetclient.c
index 6a112eea701eced2a26e3db2bb62aedc9f464d3b..b9f0fc807fb8cf0c3cfa9339588c14178f178d51 100644 (file)
--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
                                    const char *binary,
                                    const char *username,
                                    bool noTTY,
+                                   bool noVerify,
                                    const char *netcat,
                                    const char *path)
 {
     virNetSocketPtr sock;
 
-    if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat, path, &sock) < 0)
+    if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify, netcat, path, &sock) < 0)
         return NULL;
 
     return virNetClientNew(sock, NULL);

diff --git a/src/rpc/virnetclient.h b/src/rpc/virnetclient.h
index de0782c240fde6946831f2c02c435185bdc58926..6acdf508a057a8e1e63135438919a17e63342e68 100644 (file)
--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
                                    const char *binary,
                                    const char *username,
                                    bool noTTY,
+                                   bool noVerify,
                                    const char *netcat,
                                    const char *path);
 

diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c
index 33920479a486e55d75bdf5cbbc93040960b10e65..41d9954e6629ea39d85228be3c336debc01f6a8c 100644 (file)
--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
                               const char *binary,
                               const char *username,
                               bool noTTY,
+                              bool noVerify,
                               const char *netcat,
                               const char *path,
                               virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
     if (noTTY)
         virCommandAddArgList(cmd, "-T", "-o", "BatchMode=yes",
                              "-e", "none", NULL);
+    if (noVerify)
+        virCommandAddArgList(cmd, "-o", "StrictHostKeyChecking=no", NULL);
     virCommandAddArgList(cmd, nodename,
                          netcat ? netcat : "nc",
                          "-U", path, NULL);

diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h
index 356d6c6cf8ac24d3a861bb9158c19ec48f117f8a..5f882ac5439afca95a70a625bbb94020cc01a495 100644 (file)
--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
                               const char *binary,
                               const char *username,
                               bool noTTY,
+                              bool noVerify,
                               const char *netcat,
                               const char *path,
                               virNetSocketPtr *addr);

diff --git a/tests/virnetsockettest.c b/tests/virnetsockettest.c
index f6c72743c67975c6fd771a532e6e3e25c6d80c98..1697ced30c1a610d051b5a8edc511e167b31f668 100644 (file)
--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -377,6 +377,7 @@ struct testSSHData {
     const char *binary;
     const char *username;
     bool noTTY;
+    bool noVerify;
     const char *netcat;
     const char *path;
 
@@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque)
                                   data->binary,
                                   data->username,
                                   data->noTTY,
+                                  data->noVerify,
                                   data->netcat,
                                   data->path,
                                   &csock) < 0)
@@ -503,6 +505,7 @@ mymain(void)
         .username = "fred",
         .netcat = "netcat",
         .noTTY = true,
+        .noVerify = false,
         .path = "/tmp/socket",
         .expectOut = "-p 9000 -l fred -T -o BatchMode=yes -e none somehost netcat -U /tmp/socket\n",
     };
@@ -510,20 +513,33 @@ mymain(void)
         ret = -1;
 
     struct testSSHData sshData3 = {
-        .nodename = "nosuchhost",
+        .nodename = "somehost",
+        .service = "9000",
+        .username = "fred",
+        .netcat = "netcat",
+        .noTTY = false,
+        .noVerify = true,
         .path = "/tmp/socket",
-        .failConnect = true,
+        .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat -U /tmp/socket\n",
     };
     if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
         ret = -1;
 
     struct testSSHData sshData4 = {
+        .nodename = "nosuchhost",
+        .path = "/tmp/socket",
+        .failConnect = true,
+    };
+    if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+        ret = -1;
+
+    struct testSSHData sshData5 = {
         .nodename = "crashyhost",
         .path = "/tmp/socket",
         .expectOut = "crashyhost nc -U /tmp/socket\n",
         .dieEarly = true,
     };
-    if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+    if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData5) < 0)
         ret = -1;
 
 #endif