Bug 1888537

Summary: RFE: guest agent public ssh injection api support
Product: Red Hat Enterprise Linux Advanced Virtualization Reporter: Michal Privoznik <mprivozn>
Component: libvirtAssignee: Michal Privoznik <mprivozn>
Status: CLOSED ERRATA QA Contact: Lili Zhu <lizhu>
Severity: medium Docs Contact:
Priority: medium    
Version: ---CC: berrange, demeng, dholler, dvossel, dyuan, fdeutsch, jdenemar, jsuchane, lijin, lmen, marcandre.lureau, mprivozn, rgarcia, virt-maint, xuzhang
Target Milestone: rcKeywords: FutureFeature, Triaged, Upstream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-6.10.0-1.el8 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1885332 Environment:
Last Closed: 2021-05-25 06:43:38 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version: 6.10.0
Embargoed:
Bug Depends On: 1885332    
Bug Blocks:    

Description Michal Privoznik 2020-10-15 06:50:53 UTC 
+++ This bug was initially created as a clone of Bug #1885332 +++

Description of problem:

From a high level, this is a request for an API to set values within a guest OS's  authorized_keys file. This is similar in concept to the guest-set-user-password API command that already exists today [1].

The Background here is that OpenShift Virtualization (previously known as CNV) would like to begin leveraging the guest agent to dynamically inject ssh public keys into a running guest OS

We have already proven out the concept using the guest's file manipulation and exec capabilities here [2], however the commands we use in this proof of concept are not generally enabled for RHEL hosts. It's possible these commands are too permissive to ever be considered as being enabled by default. 

A targeted API (like a future guest-set-authorized-keys command) would likely be easier to justify enabling by default in RHEL guests, and would allow us to avoid tunneling a series of complex execution commands using the exec API. 

--- Additional comment from Marc-Andre Lureau on 2020-10-13 22:25:44 CEST ---

Sent to the qemu mailing list "[PATCH 0/2] qemu-ga: add ssh-{add,remove}-authorized-keys"

https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg03799.html
Comment 1 Marc-Andre Lureau 2020-11-07 09:14:58 UTC 
on libvirt list: "[libvirt PATCH] qemu: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys"
Comment 2 Michal Privoznik 2020-11-10 16:00:15 UTC 
Polished and finished Marc-Andre's patches and send to the list:

https://www.redhat.com/archives/libvir-list/2020-November/msg00444.html
Comment 3 Michal Privoznik 2020-11-16 12:21:29 UTC 
v2:

https://www.redhat.com/archives/libvir-list/2020-November/msg00821.html
Comment 4 Michal Privoznik 2020-11-18 14:26:00 UTC 
v3:

https://www.redhat.com/archives/libvir-list/2020-November/msg01012.html
Comment 5 Michal Privoznik 2020-11-18 15:39:15 UTC 
Merged upstream as:

e068cdd5be (HEAD -> master, origin/master, origin/HEAD) news: Document recent OpenSSH authorized key file mgmt APIs
2500b5ed9d qemu: Implement OpenSSH authorized key file mgmt APIs
9770578904 qemu_agent: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys
87d12effbe virsh: Expose OpenSSH authorized key file mgmt APIs
40c35dfa1f remote: Implement OpenSSH authorized key file mgmt APIs
de0b6dd63e Introduce OpenSSH authorized key file mgmt APIs

v6.9.0-313-ge068cdd5be
Comment 12 Michal Privoznik 2020-12-16 10:22:04 UTC 
For QE trying to verify this: There is a known problem with virsh and it's inablity to remove keys tracked under bug 1904674.
Comment 13 Lili Zhu 2021-01-02 12:40:20 UTC 
Verify this bug with:
libvirt-6.10.0-1.module+el8.4.0+8898+a84e86e1.x86_64

A. Set ssh authorized keys:
1.try to get the authorized keys
# virsh get-user-sshkeys vm1 lizhu
(no output)

2.try to ssh into the guest
# ssh lizhu.122.13
The authenticity of host '192.168.122.13 (192.168.122.13)' can't be established.
ECDSA key fingerprint is SHA256:gqKSjboQt9oW4o2/3I+RUf4Ml2Ys4Gf0XIE0BCFMZKQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.13' (ECDSA) to the list of known hosts.
lizhu.122.13's password: 
(need password)

3. set the user keys
# virsh set-user-sshkeys vm1 lizhu /root/.ssh/id_ed25519.pub 

# virsh get-user-sshkeys vm1 lizhu
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

# ssh lizhu.122.13
[lizhu@localhost ~]$ 
(not need password)

4. set the keys for non-root account to login into guest
# virsh set-user-sshkeys vm1 lizhu /home/tester/.ssh/id_rsa.pub 

# virsh get-user-sshkeys vm1 lizhu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

$ ssh lizhu.122.13
The authenticity of host '192.168.122.13 (192.168.122.13)' can't be established.
ECDSA key fingerprint is SHA256:gqKSjboQt9oW4o2/3I+RUf4Ml2Ys4Gf0XIE0BCFMZKQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.13' (ECDSA) to the list of known hosts.
Last login: Sat Jan  2 18:22:30 2021 from 192.168.122.1
[lizhu@localhost ~]$ 
(not need password)

B. reset ssh authorized keys
1. reset ssh keys with file
# virsh get-user-sshkeys vm1 lizhu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

# virsh set-user-sshkeys vm1 lizhu  --reset /root/.ssh/id_ed25519.pub 

# virsh get-user-sshkeys vm1 lizhu
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname
(reset the authorized keys file, then added new keys)

2. reset ssh keys with file
# virsh get-user-sshkeys vm1 lizhu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

# virsh set-user-sshkeys vm1 lizhu  --reset

# virsh get-user-sshkeys vm1 lizhu
(no output)
Comment 14 Lili Zhu 2021-01-02 12:45:44 UTC 
C: get or set authorized keys under readonly mode
#  virsh -r get-user-sshkeys vm1 lizhu
error: operation forbidden: read only access prevents virDomainAuthorizedSSHKeysGet

#  virsh -r set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub 
error: operation forbidden: read only access prevents virDomainAuthorizedSSHKeysSet

D: get or set authorized keys when qemu-guest-agent is stopped
#  virsh set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub 
error: Guest agent is not responding: QEMU guest agent is not connected

#  virsh get-user-sshkeys vm1 lizhu 
error: Guest agent is not responding: QEMU guest agent is not connected

E: get or set authorized keys when qemu-guest-agent is not configured
#  virsh set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub 
error: argument unsupported: QEMU guest agent is not configured

#  virsh get-user-sshkeys vm1 lizhu 
error: argument unsupported: QEMU guest agent is not configured
Comment 15 Lili Zhu 2021-01-11 01:56:46 UTC 
For the --remove flag, will track it in Bug 1904674.
Mark the bug as verified.
Comment 17 errata-xmlrpc 2021-05-25 06:43:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2098