Bug 1888537 - RFE: guest agent public ssh injection api support
Summary: RFE: guest agent public ssh injection api support
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Advanced Virtualization
Classification: Red Hat
Component: libvirt
Version: ---
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Michal Privoznik
QA Contact: Lili Zhu
URL:
Whiteboard:
Depends On: 1885332
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-15 06:50 UTC by Michal Privoznik
Modified: 2021-05-25 06:44 UTC (History)
14 users (show)

Fixed In Version: libvirt-6.10.0-1.el8
Doc Type: Enhancement
Doc Text:
Clone Of: 1885332
Environment:
Last Closed: 2021-05-25 06:43:38 UTC
Type: Feature Request
Target Upstream Version: 6.10.0


Attachments (Terms of Use)

Description Michal Privoznik 2020-10-15 06:50:53 UTC
+++ This bug was initially created as a clone of Bug #1885332 +++

Description of problem:

From a high level, this is a request for an API to set values within a guest OS's  authorized_keys file. This is similar in concept to the guest-set-user-password API command that already exists today [1].

The Background here is that OpenShift Virtualization (previously known as CNV) would like to begin leveraging the guest agent to dynamically inject ssh public keys into a running guest OS

We have already proven out the concept using the guest's file manipulation and exec capabilities here [2], however the commands we use in this proof of concept are not generally enabled for RHEL hosts. It's possible these commands are too permissive to ever be considered as being enabled by default. 

A targeted API (like a future guest-set-authorized-keys command) would likely be easier to justify enabling by default in RHEL guests, and would allow us to avoid tunneling a series of complex execution commands using the exec API. 

--- Additional comment from Marc-Andre Lureau on 2020-10-13 22:25:44 CEST ---

Sent to the qemu mailing list "[PATCH 0/2] qemu-ga: add ssh-{add,remove}-authorized-keys"

https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg03799.html

Comment 1 Marc-Andre Lureau 2020-11-07 09:14:58 UTC
on libvirt list: "[libvirt PATCH] qemu: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys"

Comment 2 Michal Privoznik 2020-11-10 16:00:15 UTC
Polished and finished Marc-Andre's patches and send to the list:

https://www.redhat.com/archives/libvir-list/2020-November/msg00444.html

Comment 5 Michal Privoznik 2020-11-18 15:39:15 UTC
Merged upstream as:

e068cdd5be (HEAD -> master, origin/master, origin/HEAD) news: Document recent OpenSSH authorized key file mgmt APIs
2500b5ed9d qemu: Implement OpenSSH authorized key file mgmt APIs
9770578904 qemu_agent: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys
87d12effbe virsh: Expose OpenSSH authorized key file mgmt APIs
40c35dfa1f remote: Implement OpenSSH authorized key file mgmt APIs
de0b6dd63e Introduce OpenSSH authorized key file mgmt APIs

v6.9.0-313-ge068cdd5be

Comment 12 Michal Privoznik 2020-12-16 10:22:04 UTC
For QE trying to verify this: There is a known problem with virsh and it's inablity to remove keys tracked under bug 1904674.

Comment 13 Lili Zhu 2021-01-02 12:40:20 UTC
Verify this bug with:
libvirt-6.10.0-1.module+el8.4.0+8898+a84e86e1.x86_64

A. Set ssh authorized keys:
1.try to get the authorized keys
# virsh get-user-sshkeys vm1 lizhu
(no output)

2.try to ssh into the guest
# ssh lizhu@192.168.122.13
The authenticity of host '192.168.122.13 (192.168.122.13)' can't be established.
ECDSA key fingerprint is SHA256:gqKSjboQt9oW4o2/3I+RUf4Ml2Ys4Gf0XIE0BCFMZKQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.13' (ECDSA) to the list of known hosts.
lizhu@192.168.122.13's password: 
(need password)

3. set the user keys
# virsh set-user-sshkeys vm1 lizhu /root/.ssh/id_ed25519.pub 

# virsh get-user-sshkeys vm1 lizhu
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

# ssh lizhu@192.168.122.13
[lizhu@localhost ~]$ 
(not need password)

4. set the keys for non-root account to login into guest
# virsh set-user-sshkeys vm1 lizhu /home/tester/.ssh/id_rsa.pub 

# virsh get-user-sshkeys vm1 lizhu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

$ ssh lizhu@192.168.122.13
The authenticity of host '192.168.122.13 (192.168.122.13)' can't be established.
ECDSA key fingerprint is SHA256:gqKSjboQt9oW4o2/3I+RUf4Ml2Ys4Gf0XIE0BCFMZKQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.122.13' (ECDSA) to the list of known hosts.
Last login: Sat Jan  2 18:22:30 2021 from 192.168.122.1
[lizhu@localhost ~]$ 
(not need password)

B. reset ssh authorized keys
1. reset ssh keys with file
# virsh get-user-sshkeys vm1 lizhu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

# virsh set-user-sshkeys vm1 lizhu  --reset /root/.ssh/id_ed25519.pub 

# virsh get-user-sshkeys vm1 lizhu
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname
(reset the authorized keys file, then added new keys)

2. reset ssh keys with file
# virsh get-user-sshkeys vm1 lizhu
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname

# virsh set-user-sshkeys vm1 lizhu  --reset

# virsh get-user-sshkeys vm1 lizhu
(no output)

Comment 14 Lili Zhu 2021-01-02 12:45:44 UTC
C: get or set authorized keys under readonly mode
#  virsh -r get-user-sshkeys vm1 lizhu
error: operation forbidden: read only access prevents virDomainAuthorizedSSHKeysGet

#  virsh -r set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub 
error: operation forbidden: read only access prevents virDomainAuthorizedSSHKeysSet

D: get or set authorized keys when qemu-guest-agent is stopped
#  virsh set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub 
error: Guest agent is not responding: QEMU guest agent is not connected

#  virsh get-user-sshkeys vm1 lizhu 
error: Guest agent is not responding: QEMU guest agent is not connected

E: get or set authorized keys when qemu-guest-agent is not configured
#  virsh set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub 
error: argument unsupported: QEMU guest agent is not configured

#  virsh get-user-sshkeys vm1 lizhu 
error: argument unsupported: QEMU guest agent is not configured

Comment 15 Lili Zhu 2021-01-11 01:56:46 UTC
For the --remove flag, will track it in Bug 1904674.
Mark the bug as verified.

Comment 17 errata-xmlrpc 2021-05-25 06:43:38 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2098


Note You need to log in before you can comment on or make changes to this bug.