RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1174177 - RFE: provide API for setting root/administrator account password via QEMU guest agent
Summary: RFE: provide API for setting root/administrator account password via QEMU gue...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libvirt
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ján Tomko
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On: 1174176 1174181 1303906
Blocks: 978365 1154205 1261100
TreeView+ depends on / blocked
 
Reported: 2014-12-15 10:22 UTC by Daniel Berrangé
Modified: 2019-09-12 08:08 UTC (History)
14 users (show)

Fixed In Version: libvirt-1.2.16-1.el7
Doc Type: Enhancement
Doc Text:
The "guest-set-user-password" command has been introduced for the QEMU guest agent. This allows setting the account password for any guest user, including the administrator, when using QEMU-KVM.
Clone Of: 1174176
Environment:
Last Closed: 2015-11-19 05:58:37 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2202 0 normal SHIPPED_LIVE libvirt bug fix and enhancement update 2015-11-19 08:17:58 UTC

Description Daniel Berrangé 2014-12-15 10:22:31 UTC 
+++ This bug was initially created as a clone of Bug #1174176 +++

Description of problem:
OpenStack has a public API which allows a tenant to reset the root/administrator account password of a running guest instance. This is currently supported with XenAPI and users & customers are disappointed when they find it does not work on KVM too.

NB, while OpenStack tenants can set a root password up front with cloud-init, this does not support the same use cases. It is generally preferred to not set any root password at all - just leave the account locked to password access, and instead use SSH keys for login. Where the ability to set the root password is important is in disaster recovery. eg they have lost access to a VM (eg due to network mis-configuration). Unlocking root account console logins by setting a root password is their last ditch approach to recover the instance without taking it offline.

Thus the request here is to provide a new QEMU guest agent command

 'set-administrator-password --iscrypted CRYPTED_PASSWORD'
 'set-administrator-password RAW_PASSWORD'

Note I'm following example from kickstart files, where you allow provision of both the raw password, or a pre-encrypted/salted string. The latter is generally preferrable since then log messages will not leak the sensitive raw password.

It is desired to have this available for currently supported RHEL *and* Windows versions.
Comment 3 Ján Tomko 2015-05-18 12:44:52 UTC 
Proposed upstream patches:
https://www.redhat.com/archives/libvir-list/2015-May/msg00562.html
Comment 5 Ján Tomko 2015-05-22 07:23:46 UTC 
Now pushed upstream:
commit 886f43ad781ca58b8f87010c1f7d94fa5d9bbc4a
Author:     Ján Tomko <jtomko>
CommitDate: 2015-05-21 16:24:02 +0200

    qemu: wire up virDomainSetUserPassword
    
    Base-64 encode the password and pass it to the guest agent
    via the 'guest-set-user-password' command.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1174177

commit 9bcadfabaa95d6955b209f071b038af08abed434
Author:     Ján Tomko <jtomko>
CommitDate: 2015-05-21 16:21:55 +0200

    virsh: add set-user-password command
    
    Expose the virDomainSetUserPassword API in virsh:
    virsh set-user-password dom user 123456

commit e8982c88bd949e634075b3cc3549beddc9821683
Author:     Ján Tomko <jtomko>
CommitDate: 2015-05-21 16:04:01 +0200

    Introduce virDomainSetUserPassword API
    
    For setting passwords of users inside the domain.
    
    With the VIR_DOMAIN_PASSWORD_ENCRYPTED flag set, the password
    is assumed to be already encrypted by the method required
    by the guest OS.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1174177

git describe: v1.2.15-126-g886f43a
Comment 7 zhenfeng wang 2015-07-27 08:34:40 UTC 
Verify this bug with libvirt-1.2.17-2.el7.x86_64, found 1 issue that fail to login guest while set users password with --encripted option, can you help check it? thanks

pkginfo
kernel-3.10.0-300.el7.x86_64
libvirt-1.2.17-2.el7.x86_64
qemu-kvm-rhev-2.3.0-13.el7.x86_64

guest info
qemu-guest-agent-2.3.0-2.el7.x86_64.rpm

steps
1.Prepare a guest with guest agent configured
2.Get the selinux to permissive mode inside the guest
guest#setenforce 0

3.Set root password of guest to 'redhat' inside guest os
guest#password redhat

4.login guest from host with the new password, guest could login successfully
#ssh root@guest_ip 

5.Change root password of guest to '123456' with qemu agent command
# virsh set-user-password virt-tests-vm1 --user root --password 123456 
Password set successfully for root in virt-tests-vm1

6.login guest, could successfully login guest with the new password, will fail to login with the previous password
#ssh root@guest_ip 

7.Change root password of guest to '111111' with qemu agent command with --encrypted option, then login guest, found fail to login guest with the new password , or with the previous password either.

# virsh set-user-password virt-tests-vm1 --user root --password 111111 --encrypted
Password set successfully for root in virt-tests-vm1


# ssh root@guest_ip
root@guest_ip's password: 
Permission denied, please try again.
root@guest_ip's password: 
Permission denied, please try again.
root@guest_ip's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
Comment 8 Ján Tomko 2015-07-27 08:55:33 UTC 
From the virsh manual page:
           If --encrypted is specified, the password is assumed to be already encrypted by the method required by the guest OS.

For a Linux guest, crypt(3) is the method that generates passwords suitable for writing into the password entry in /etc/shadow.
Comment 9 zhenfeng wang 2015-07-28 10:34:01 UTC 
Thanks for Jan's reply, the following steps were my whole verify steps.All my following test steps were under selinux permissive mode since bug 1243458,1243459 haven't fixed yet

Scenario 1
Set the guest's password without --encrypted option

1.Prepare a running guest with guest agent configured
2.Create a normal user for the guest
#useradd test1

3.Change the guest's password for the root user
# virsh set-user-password virt-tests-vm1 --user root --password 1A2b3c4#
Password set successfully for root in virt-tests-vm1

4.Login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully

5.Change the guest's password for the test1 user
# virsh set-user-password virt-tests-vm1 --user test1 --password 3@QWE12a
Password set successfully for test1 in virt-tests-vm1

6.Login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully

7.Set the guest's password without --user , --password option, could set the password successfully
# virsh set-user-password virt-tests-vm1 test1 3@QWE12b

8.Login guest with the previously password, will fail to login guest, login the guest with the new password, could login successfully


Scenario 2
Set guest's password with --encrypted option

1.Prepare a running guest with guest agent configured
2.Create a normal user for the guest
#useradd test1

3.crypted the guest's password before we set the guest's password
# openssl passwd -crypt 1A2b3c4#
2aXYYJmeGWrbU
# virsh set-user-password virt-tests-vm1 --user root --password 2aXYYJmeGWrbU --encrypted

4.login guest with the previously password, will fail to login guest, login the guest with the new password, could login successfully

5.crypted the guest's password before we set the guest's password
# openssl passwd -crypt 3@QWE12a
D1uzez4R9JWE.
# virsh set-user-password virt-tests-vm1 --user test1 --password D1uzez4R9JWE. --encrypted
Password set successfully for test1 in virt-tests-vm1

6.login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully

7.Set the guest's password with --encrypted but without --user , --password option, could set the password successfully
# openssl passwd -crypt 3@QWE12c
zVTbPXj7udwRE
# virsh set-user-password  virt-tests-vm1  test1 --password zVTbPXj7udwRE --encrypted
Password set successfully for test1 in virt-tests-vm1

8.login guest with the previously password, will fail to login guest, login the guest with the new password ,could login successfully

Scenario 3
1.Stop guest agent service inside guest, then set the password for guest, will get the expect error
# virsh set-user-password  virt-tests-vm1  root --password redhat
error: Guest agent is not responding: QEMU guest agent is not connected

# virsh set-user-password  virt-tests-vm1  root --password redhat --encrypted
error: Guest agent is not responding: QEMU guest agent is not connected

2.Start the guest agent service, re-run the upper commands could excuted successfully


Scenario 4
1.Run the command in readonly mode, could get the expect error

# virsh -r set-user-password  virt-tests-vm1  root --password redhat --encrypted
error: operation forbidden: read only access prevents virDomainSetUserPassword

2.Enable acl in libvirtd.conf, then set the password for guest, will get access deny with the normal user
#cat /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]
auth_unix_rw = "none"
unix_sock_rw_perms = "0777"

#systemctl restart libvirtd

#ssh test1@host_ip
test1$ virsh -c qemu:///system
virsh # set-user-password  virt-tests-vm1  root --password redhat --encrypte
error: command 'set-user-password' doesn't support option --encrypte
virsh # set-user-password  virt-tests-vm1  root --password redhat 
error: access denied

virsh # set-user-password  virt-tests-vm1  root --password redhat 
error: access denied

3.Configure the rules for the user test1
## cat /etc/polkit-1/rules.d/100-libvirt-acl.rules 
polkit.addRule(function(action, subject) {

    if (action.id == "org.libvirt.api.domain.set-password" &&
        subject.user == "test1") {
          if (action.lookup("connect_driver") == 'QEMU' &&
              action.lookup("domain_name") == 'virt-tests-vm1') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
    }

});

4.Reset the guest's password with the normal user, could set successfully
#ssh test1@host_ip
test1$ virsh -c qemu:///system
virsh # set-user-password  virt-tests-vm1  root --password redhat  --encrypted
Password set successfully for test1 in virt-tests-vm1
virsh # set-user-password  virt-tests-vm1  root --password 123456
Password set successfully for test1 in virt-tests-vm1
Comment 10 zhenfeng wang 2015-07-28 10:41:00 UTC 
Hi Jan
All the function works expectly in this bug as comment 9 description and i think it should be better if we could improved the follow error, how do you think about it? thanks

# virsh set-user-password  virt-tests-vm1  --user user1 --password redhat 
error: internal error: unable to execute QEMU agent command 'guest-set-user-password': child process has failed to set user password
Comment 11 zhenfeng wang 2015-07-28 10:42:56 UTC 
lost something in comment 10 that the user "user1" was a non-exsiting user, and we better get some clear error while set password for a non-exsiting user inside guest
Comment 12 Ján Tomko 2015-07-28 10:49:13 UTC 
The error would need to be improved in qemu-guest-agent, as libvirt has no knowledge of guest user accounts.
The mesasge 'child process has failed to set user password' already comes from qemu-guest-agent, so any improvement of the error in the guest agent would be picked up by libvirt.
Comment 13 zhenfeng wang 2015-07-29 02:24:19 UTC 
Thanks, so file a new bug 1247822 to track that issue and mark this bug verified according to comment 9
Comment 17 errata-xmlrpc 2015-11-19 05:58:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2202.html
Note You need to log in before you can comment on or make changes to this bug.