Bug 1510536

Summary: [RFE] obfuscate password for ssh key in virt-who config file used to connect to hypervisor
Product: Red Hat Enterprise Linux 7 Reporter: Andrea Perotti <aperotti>
Component: virt-whoAssignee: candlepin-bugs
Status: CLOSED WONTFIX QA Contact: Eko <hsun>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: aperotti, candlepin-bugs, cdonnell, dconsoli, wpoteat, yuefliu
Target Milestone: pre-dev-freezeKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1716985 (view as bug list) Environment:
Last Closed: 2019-06-11 19:08:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1353215, 1716985    

Description Andrea Perotti 2017-11-07 15:57:01 UTC 
Description of problem:

2. What is the nature and description of the request?
Customer would like to use an ssh key protected with passphrase in virt-who, and having that password obfuscated in the virt-who configuration file.

3. Why does the customer need this? (List the business requirements here)
Compliance requires that each used ssh keys mush be protected with password 

4. How would the customer like to achieve this? (List the functional requirements here)
With the addition of a new option in virt-who config file

5. For each functional requirement listed in question 4, specify how Red Hat and Customer can test to confirm the requirement is successfully implemented.

You should be able to use virt-who config with an encrypted ssh key, with obfuscated password 

6. Is there already an existing RFE upstream or in Red Hat bugzilla?
   No

7. How quickly does this need resolved? (desired target release)
As soon as possible, it should be made available both on RHEL6 and RHEL7

8. Does this request meet the RHEL Inclusion criteria (please review)
  Yes
9. List the affected packages
virt-who

Version-Release number of selected component (if applicable):

virt-who-0.19-6
Comment 2 Craig Donnelly 2017-11-07 18:26:49 UTC 
Hello,

I wanted to clarify what it is exactly you were looking for in this request.

My interpretation of what you have laid out is as follows:

You have a system that is using libvirt which virt-who would be connecting to via SSH w/username + password - and you want the password to not be plain text.

If that is correct, is the requirement not met by utilizing 'virt-who-password' which ships with virt-who to encrypt the password by way of hashing?

Please provide a little more detail in explicitly what it is your aiming for if the above is not a resolution.

Thanks!
Comment 3 Andrea Perotti 2017-11-07 20:48:40 UTC 
Hi,
   the request is for a more complex use case.

Scenario here is that you do connect to libvirt via ssh, but you do use: 

username
ssh-key (id_rsa+id_rsa.pub)

and that ssh-key is password protected.

Using virt-who-password is fine to scramble, is just needed to have a way to express which is the passphrase of the ssh-key in a non plain-text way.

If you have further doubt on the request, please just let me know.
Comment 4 Craig Donnelly 2017-11-07 22:17:50 UTC 
So what I understand based off of that is that you want 'virt-who' daemon to be able to use an ssh-key to login to libvirt and pass an encrypted password to unlock the ssh-key.

In this case, I would call this an RFE for virt-who, which would need to be placed under RHEL for that team.

I will shift this to the correct place.
Comment 9 William Poteat 2019-06-11 19:08:34 UTC 
This is not necessary for virt-who to operate and it is outside the scope of the application.
Comment 10 Red Hat Bugzilla 2023-09-14 04:11:24 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days