remote/ssh: support for no_verify.

Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the no_verify extra parameter was specified. This won't disable host key checking for already known hosts. Includes a test and documentation.

remote/ssh: support for no_verify.
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the no_verify extra parameter was specified. This won't disable host key checking for already known hosts. Includes a test and documentation.
9a0e6a8f · Oskari Saarenmaa · Matthias Bolte · 2851d378 · 9a0e6a8f · 9a0e6a8f
8 changed file
--- a/AUTHORS
+++ b/AUTHORS
@@ -184,6 +184,7 @@ Patches have also been contributed by:
  John Williams        <john.williams@petalogix.com>
  Michael Santos       <michael.santos@gmail.com>
  Alex Jia             <ajia@redhat.com>
+  Oskari Saarenmaa     <os@ohmu.fi>
  [....send patches to get your name here....]

--- a/docs/remote.html.in
+++ b/docs/remote.html.in
@@ -279,9 +279,14 @@ Note that parameter values must be
        <td>
          <code>no_verify</code>
        </td>
-        <td> tls </td>
+        <td> ssh, tls </td>
        <td>
-  If set to a non-zero value, this disables client checks of the
+  SSH: If set to a non-zero value, this disables client's strict host key
+  checking making it auto-accept new host keys.  Existing host keys will
+  still be validated.
+  <br/>
+  <br/>
+  TLS: If set to a non-zero value, this disables client checks of the
  server's certificate.  Note that to disable server checks of
  the client's certificate or IP address you must
  <a href="#Remote_libvirtd_configuration">change the libvirtd

--- a/src/remote/remote_driver.c
+++ b/src/remote/remote_driver.c
@@ -571,6 +571,7 @@ doRemoteOpen (virConnectPtr conn,
                                                command,
                                                username,
                                                no_tty,
+                                                no_verify,
                                                netcat ? netcat : "nc",
                                                sockname)))
            goto failed;

--- a/src/rpc/virnetclient.c
+++ b/src/rpc/virnetclient.c
@@ -187,12 +187,13 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
                                   const char *binary,
                                   const char *username,
                                   bool noTTY,
+                                   bool noVerify,
                                   const char *netcat,
                                   const char *path)
 {
    virNetSocketPtr sock;
-    if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, netcat, path, &sock) < 0)
+    if (virNetSocketNewConnectSSH(nodename, service, binary, username, noTTY, noVerify, netcat, path, &sock) < 0)
        return NULL;
    return virNetClientNew(sock, NULL);

--- a/src/rpc/virnetclient.h
+++ b/src/rpc/virnetclient.h
@@ -44,6 +44,7 @@ virNetClientPtr virNetClientNewSSH(const char *nodename,
                                   const char *binary,
                                   const char *username,
                                   bool noTTY,
+                                   bool noVerify,
                                   const char *netcat,
                                   const char *path);

--- a/src/rpc/virnetsocket.c
+++ b/src/rpc/virnetsocket.c
@@ -576,6 +576,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
                              const char *binary,
                              const char *username,
                              bool noTTY,
+                              bool noVerify,
                              const char *netcat,
                              const char *path,
                              virNetSocketPtr *retsock)
@@ -596,6 +597,8 @@ int virNetSocketNewConnectSSH(const char *nodename,
    if (noTTY)
        virCommandAddArgList(cmd, "-T", "-o", "BatchMode=yes",
                             "-e", "none", NULL);
+    if (noVerify)
+        virCommandAddArgList(cmd, "-o", "StrictHostKeyChecking=no", NULL);
    virCommandAddArgList(cmd, nodename,
                         netcat ? netcat : "nc",
                         "-U", path, NULL);

--- a/src/rpc/virnetsocket.h
+++ b/src/rpc/virnetsocket.h
@@ -67,6 +67,7 @@ int virNetSocketNewConnectSSH(const char *nodename,
                              const char *binary,
                              const char *username,
                              bool noTTY,
+                              bool noVerify,
                              const char *netcat,
                              const char *path,
                              virNetSocketPtr *addr);

--- a/tests/virnetsockettest.c
+++ b/tests/virnetsockettest.c
@@ -377,6 +377,7 @@ struct testSSHData {
    const char *binary;
    const char *username;
    bool noTTY;
+    bool noVerify;
    const char *netcat;
    const char *path;
@@ -397,6 +398,7 @@ static int testSocketSSH(const void *opaque)
                                  data->binary,
                                  data->username,
                                  data->noTTY,
+                                  data->noVerify,
                                  data->netcat,
                                  data->path,
                                  &csock) < 0)
@@ -503,6 +505,7 @@ mymain(void)
        .username = "fred",
        .netcat = "netcat",
        .noTTY = true,
+        .noVerify = false,
        .path = "/tmp/socket",
        .expectOut = "-p 9000 -l fred -T -o BatchMode=yes -e none somehost netcat -U /tmp/socket\n",
    };
@@ -510,20 +513,33 @@ mymain(void)
        ret = -1;
    struct testSSHData sshData3 = {
-        .nodename = "nosuchhost",
+        .nodename = "somehost",
+        .service = "9000",
+        .username = "fred",
+        .netcat = "netcat",
+        .noTTY = false,
+        .noVerify = true,
        .path = "/tmp/socket",
-        .failConnect = true,
+        .expectOut = "-p 9000 -l fred -o StrictHostKeyChecking=no somehost netcat -U /tmp/socket\n",
    };
    if (virtTestRun("SSH test 3", 1, testSocketSSH, &sshData3) < 0)
        ret = -1;
    struct testSSHData sshData4 = {
+        .nodename = "nosuchhost",
+        .path = "/tmp/socket",
+        .failConnect = true,
+    };
+    if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+        ret = -1;
+    struct testSSHData sshData5 = {
        .nodename = "crashyhost",
        .path = "/tmp/socket",
        .expectOut = "crashyhost nc -U /tmp/socket\n",
        .dieEarly = true,
    };
-    if (virtTestRun("SSH test 4", 1, testSocketSSH, &sshData4) < 0)
+    if (virtTestRun("SSH test 5", 1, testSocketSSH, &sshData5) < 0)
        ret = -1;
 #endif