Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1343414

Summary: Failed SSH to conversion server by ssh identity http url at p2v client
Product: Red Hat Enterprise Linux 7 Reporter: mxie <mxie>
Component: libguestfsAssignee: Richard W.M. Jones <rjones>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.3CC: juzhou, mxie, mzhan, ptoscano, tzheng, xiaodwan
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: P2V
Fixed In Version: libguestfs-1.32.5-4.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 18:01:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
id_rsa http url
none
curl error 22 none

Description mxie@redhat.com 2016-06-07 09:47:10 UTC 
Created attachment 1165562 [details]
id_rsa http url

Description of problem:
Failed SSH to conversion server by ssh identity http url at p2v client


Version-Release number of selected component (if applicable):
virt-p2v-1.32.5-2.el7.iso
virt-v2v-1.32.5-2.el7.x86_64
libguestfs-1.32.5-2.el7.x86_64



How reproducible:
100%

Steps to Reproduce:
1.Check ssh identity info at virt-p2v manual page
#man virt-p2v
SSH IDENTITIES

SSH identity downloaded from a website. In the GUI, use:

 │          Password: [    <leave this field blank>       ] │
 │                                                          │
 │  SSH Identity URL: [https://internal.example.com/id_rsa] │

or on the kernel command line:

 p2v.identity=https://internal.example.com/id_rsa

Anyone could still download the private key and use it to log in to the virt-v2v conversion server, but you could provide some extra security by configuring the web server to only allow connections from P2V machines.

3.Create a key pair which must have an empty passphrase and let public key append to the authorized_keys file at conversion server 

3.1#ssh-keygen -t rsa -N '' -f id_rsa

3.2#scp id_rsa.pub /root/.ssh/authorized_keys

4.Put the id_rsa at a available website, such as http://pan.baidu.com/s/1qXFPzZm, pls refer to screenshot 'id_rsa http url'

5.Boot the machine into p2v client via iso

5.At inputting conversion server info interface, input conversion ip and username and then input id_rsa http url at ssh identity url, but the ssh connection failed with error: curl error 22, pls refer to screenshot 'curl error 22'
 


Actual results:
As above description

Expected results:
SSH to conversion server by ssh identity http url at p2v client successfully
 

Additional info:
Comment 1 mxie@redhat.com 2016-06-07 10:03:25 UTC 
Created attachment 1165566 [details]
curl error 22
Comment 3 Richard W.M. Jones 2016-06-07 13:28:51 UTC 
So the reason for the failure in this case is that the remote
URL is not available.  It fails with 403 Forbidden:

$ wget 'http://pan.baidu.com/s/1qXFPzZm'
--2016-06-07 14:25:50--  http://pan.baidu.com/s/1qXFPzZm
Resolving cache.home.annexia.org (cache.home.annexia.org)... 192.168.0.254
Connecting to cache.home.annexia.org (cache.home.annexia.org)|192.168.0.254|:3128... connected.
Proxy request sent, awaiting response... 403 Forbidden
2016-06-07 14:25:53 ERROR 403: Forbidden.

When I tried to reproduce the bug I actually hit the same problem
myself.  ssh-keygen creates the id_rsa file (private key) with mode
0600 (-rw-------), which means if you just copy the file over to a
web server, it will not be accessible.  The web server will send
403 Forbidden errors.

The solution for me was to change the mode of the file to make it
public readable, eg. 0644.  I don't know if that is the case for you,
but you'll have to fix the 403 Forbidden error somehow.

I'm also going to update the manual page to make this clear.
Comment 4 Richard W.M. Jones 2016-06-07 13:33:24 UTC 
Assuming it turns out to be the mode problem, I added this
documentation fix:
https://github.com/libguestfs/libguestfs/commit/3064c853726d2904f73b45b5d35140b5a54a5859
Comment 5 mxie@redhat.com 2016-06-08 06:49:56 UTC 
Hi rjones,

Yes, you are right, after giving permission 0644 to id_rsa on web server, p2v could ssh to conversion server via ssh identity http url successfully, thanks for your help
Comment 7 mxie@redhat.com 2016-06-23 08:20:22 UTC 
There is no description about changing mode 0644 of id_rsa in virt-p2v manual page with virt-v2v-1.32.5-2.el7 version


After update virt-v2v to virt-v2v-1.32.5-5.el7.x86_64, there is a note about change mode of id_rsa in virt-p2v manual page as below
#man virt-p2v
 Note that ssh-keygen(1) creates the "id_rsa" (private key) file with mode 0600.
 If you simply copy the file to a webserver, the webserver will not serve it.
 It will reply with "403 Forbidden" errors.  You will need to change the mode of
 the file to make it publicly readable, for example by using:

 chmod 0644 id_rsa


Try to verify ssh identity url function with http url on builds
virt-p2v-1.32.5-5.el7
virt-v2v-1.32.5-5.el7.x86_64
libguestfs-1.32.5-5.el7.x86_64

Steps:
1.Create a key pair which must have an empty passphrase and let public key append to the authorized_keys file at conversion server 
1.1#ssh-keygen -t rsa -N '' -f id_rsa
1.2#scp id_rsa.pub /root/.ssh/authorized_keys

2.Mount the website to local
mount 10.73.194.27:/vol/S3/libvirtmanual/mxie /mnt

3.Copy the key to website
#cp id_rsa /mnt

4.Change mode of the key
#chmod 0644 id_rsa

5.Boot the machine into p2v client via iso

6.At inputting conversion server info interface, input conversion ip and username and then input id_rsa http url at ssh identity url, such as http://fileshare.englab.nay.redhat.com/pub/section3/libvirtmanual/mxie/id_rsa 

Result now
The conversion server could be connected successfully via ssh identity http url on p2v client


So move the bug from ON_QA to VERIFIED
Comment 9 errata-xmlrpc 2016-11-03 18:01:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2576.html