+++ This bug was initially created as a clone of Bug #1885332 +++ Description of problem: From a high level, this is a request for an API to set values within a guest OS's authorized_keys file. This is similar in concept to the guest-set-user-password API command that already exists today [1]. The Background here is that OpenShift Virtualization (previously known as CNV) would like to begin leveraging the guest agent to dynamically inject ssh public keys into a running guest OS We have already proven out the concept using the guest's file manipulation and exec capabilities here [2], however the commands we use in this proof of concept are not generally enabled for RHEL hosts. It's possible these commands are too permissive to ever be considered as being enabled by default. A targeted API (like a future guest-set-authorized-keys command) would likely be easier to justify enabling by default in RHEL guests, and would allow us to avoid tunneling a series of complex execution commands using the exec API. --- Additional comment from Marc-Andre Lureau on 2020-10-13 22:25:44 CEST --- Sent to the qemu mailing list "[PATCH 0/2] qemu-ga: add ssh-{add,remove}-authorized-keys" https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg03799.html
on libvirt list: "[libvirt PATCH] qemu: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys"
Polished and finished Marc-Andre's patches and send to the list: https://www.redhat.com/archives/libvir-list/2020-November/msg00444.html
v2: https://www.redhat.com/archives/libvir-list/2020-November/msg00821.html
v3: https://www.redhat.com/archives/libvir-list/2020-November/msg01012.html
Merged upstream as: e068cdd5be (HEAD -> master, origin/master, origin/HEAD) news: Document recent OpenSSH authorized key file mgmt APIs 2500b5ed9d qemu: Implement OpenSSH authorized key file mgmt APIs 9770578904 qemu_agent: add qemuAgentSSH{Add,Remove,Get}AuthorizedKeys 87d12effbe virsh: Expose OpenSSH authorized key file mgmt APIs 40c35dfa1f remote: Implement OpenSSH authorized key file mgmt APIs de0b6dd63e Introduce OpenSSH authorized key file mgmt APIs v6.9.0-313-ge068cdd5be
For QE trying to verify this: There is a known problem with virsh and it's inablity to remove keys tracked under bug 1904674.
Verify this bug with: libvirt-6.10.0-1.module+el8.4.0+8898+a84e86e1.x86_64 A. Set ssh authorized keys: 1.try to get the authorized keys # virsh get-user-sshkeys vm1 lizhu (no output) 2.try to ssh into the guest # ssh lizhu.122.13 The authenticity of host '192.168.122.13 (192.168.122.13)' can't be established. ECDSA key fingerprint is SHA256:gqKSjboQt9oW4o2/3I+RUf4Ml2Ys4Gf0XIE0BCFMZKQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.122.13' (ECDSA) to the list of known hosts. lizhu.122.13's password: (need password) 3. set the user keys # virsh set-user-sshkeys vm1 lizhu /root/.ssh/id_ed25519.pub # virsh get-user-sshkeys vm1 lizhu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname # ssh lizhu.122.13 [lizhu@localhost ~]$ (not need password) 4. set the keys for non-root account to login into guest # virsh set-user-sshkeys vm1 lizhu /home/tester/.ssh/id_rsa.pub # virsh get-user-sshkeys vm1 lizhu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname $ ssh lizhu.122.13 The authenticity of host '192.168.122.13 (192.168.122.13)' can't be established. ECDSA key fingerprint is SHA256:gqKSjboQt9oW4o2/3I+RUf4Ml2Ys4Gf0XIE0BCFMZKQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.122.13' (ECDSA) to the list of known hosts. Last login: Sat Jan 2 18:22:30 2021 from 192.168.122.1 [lizhu@localhost ~]$ (not need password) B. reset ssh authorized keys 1. reset ssh keys with file # virsh get-user-sshkeys vm1 lizhu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname # virsh set-user-sshkeys vm1 lizhu --reset /root/.ssh/id_ed25519.pub # virsh get-user-sshkeys vm1 lizhu ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname (reset the authorized keys file, then added new keys) 2. reset ssh keys with file # virsh get-user-sshkeys vm1 lizhu ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDPf3MR2Fl9yuGEKWvdpY7KpylRObqBee+2ww+i+qiVROzEAPBAs41I2B7yiLNtbhz+f9S7t42H9AmmRkGvhjoAG5NlTbAECMorsA/eBYnNtJzRMP+RvwiePTH2jkpH1HzntxPC+f9Z6xo7k+LyJuyMUUnsdocwTTb6vglzZzvUmZowySwNf7WHzL02sts5Sd2jfApUrXBIs73L1tPm06tAzPj67QhiH5bH+eTJvKR80RYYX4QIf/8Ert5TfUq3Gtp/0amwCEpveDxBb7zbN9jxxv7iUDwhOB/ZQGHO+lA1It4k0aLmvnnJJUKgCkvYWYI7rJqUPfW81XJPSpKSNB6z9jF/qShea6XpUNY7djT9u1zco/S6fo5/xxjM1e7eueWoeeg+Jnkz1lfyPV2o4CcT1mXh8GhtvAwv3ooGiyfN3e2fuRWiVAyqnoa/SeN4WQ/ykhqcF/wJMMk8X7fMQp1YANsTtTrqSELw9OYC7uPzTzmgdr2S/mcnYngEoYUu6+8= tester@hostnamessh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOwEYxBFIc9Gz55SepEKYjS3dR0GrgTAHbgYbWHU6cEF root@hostname # virsh set-user-sshkeys vm1 lizhu --reset # virsh get-user-sshkeys vm1 lizhu (no output)
C: get or set authorized keys under readonly mode # virsh -r get-user-sshkeys vm1 lizhu error: operation forbidden: read only access prevents virDomainAuthorizedSSHKeysGet # virsh -r set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub error: operation forbidden: read only access prevents virDomainAuthorizedSSHKeysSet D: get or set authorized keys when qemu-guest-agent is stopped # virsh set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub error: Guest agent is not responding: QEMU guest agent is not connected # virsh get-user-sshkeys vm1 lizhu error: Guest agent is not responding: QEMU guest agent is not connected E: get or set authorized keys when qemu-guest-agent is not configured # virsh set-user-sshkeys vm1 lizhu --file /root/.ssh/id.pub error: argument unsupported: QEMU guest agent is not configured # virsh get-user-sshkeys vm1 lizhu error: argument unsupported: QEMU guest agent is not configured
For the --remove flag, will track it in Bug 1904674. Mark the bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (virt:av bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2098