Description of problem: Libvirt's libssh2 driver uses the keyboard-interactive authentication method of the ssh protocol to do password authentication. If the method is disabled fallback for "password" authentication method is not implemented. Version-Release number of selected component (if applicable): libvirt-0.10.2-10.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1: machine rhel6-host has "ChallengeResponseAuthentication no" in /etc/ssh/sshd_config 2: virsh -c qemu+libssh2://root@rhel6-host/system Actual results: virsh -c qemu+libssh2://root@localhost/system Accept SSH host key with hash '...' for host 'localhost:22' (y/n)?: y error: authentication failed: All provided authentication methods with credentials were rejected by the server Expected results: $ virsh -c qemu+libssh2://root@localhost/system Accept SSH host key with hash '...' for host 'localhost:22' (y/n)?: y Password: Welcome to virsh, the virtualization interactive terminal. Type: 'help' for help with commands 'quit' to quit virsh # Additional info: Workaround: Enable keyboard-interactive authentication in sshd: Edit /etc/ssh/sshd_config and enable option "ChallengeResponseAuthentication".
Patches fixing this issue posted upstream: http://www.redhat.com/archives/libvir-list/2013-July/msg00581.html
Fix commited upstream: commit 273745b43122a77adf8c73b2e0a852ac42387349 Author: Peter Krempa <pkrempa> Date: Tue Jul 9 16:46:32 2013 +0200 remote: Improve libssh2 password authentication This patch enables the password authentication in the libssh2 connection driver. There are a few benefits to this step: 1) Hosts with challenge response authentication will now be supported with the libssh2 connection driver. 2) Credential for hosts can now be stored in the authentication credential config file commit 676504e3be2833d606f076b4ba939f1d8dbea0cf Author: Peter Krempa <pkrempa> Date: Tue Jul 9 16:34:38 2013 +0200 libssh2: Improve password based authentication The password authentication method wasn't used as there wasn't a pleasant way to pass the password. This patch adds the option to use virAuth util functions to request the password either from a config file or uses the conf callback to request it from the user. commit c7dba5d69528377edc2ce33415fd131d61efda4b Author: Peter Krempa <pkrempa> Date: Tue Jul 9 16:14:45 2013 +0200 virAuth: Don't require virConnectPtr to retrieve authentication creds Previously a connection object was required to retrieve the auth credentials. This patch adds the option to call the retrieval functions only using the connection URI or path to the configuration file. This will allow to use this toolkit to request passwords for ssh authentication in the libssh2 connection driver. Changes: *virAuthGetConfigFilePathURI(): use URI to retrieve the config file path *virAuthGetCredential(): Remove the need to propagate conn object virAuthGetPasswordPath(): *virAuthGetUsernamePath(): New functions, that use config file path instead of conn object