[wip] Use public key authentication #1131
Conversation
Attempt to allow key based authentication for ssh based backends
foursixnine
changed the title
| @@ -1170,24 +1170,40 @@ sub new_ssh_connection { | |||
| $args{username} ||= 'root'; | |||
|
|
|||
| my $ssh = Net::SSH2->new; | |||
|
|
|||
| my $privatekey_path = '/home/foursixnine/.openqa'; | |||
There was a problem hiding this comment.
This would be a worker setting
consoles/console.pm
Outdated
| my ($self, $username, $host, $gui, $privatekey) = @_; | ||
| my $sshopts = "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"; | ||
| $sshopts .= " -o PubkeyAuthentication=no" unless defined $privatekey; | ||
| if (defined $privatekey && -e $privatekey){ |
There was a problem hiding this comment.
@coolo @mnowaksuse I'm tempted to use a job variable (say VIRSH_SSH_PRIVATEKEY and use that if it's set instead of expecting the private key to be passed somehow (Something I haven't figured out yet how to)... wdyt?
Tidy up in the meantime
Perhaps make it password-less? I don't see much security in this. |
Codecov Report
@@ Coverage Diff @@
## master #1131 +/- ##
===========================================
- Coverage 38.71% 27.45% -11.26%
===========================================
Files 40 40
Lines 4812 4822 +10
Branches 811 816 +5
===========================================
- Hits 1863 1324 -539
- Misses 2623 3285 +662
+ Partials 326 213 -113
Continue to review full report at Codecov.
|
|
@foursixnine What is a benefit of pub key authentication for our testing? Is it problematic to pass the password (I guess it's working everywhere, isn't it?) or security (why bother for testing)? |
Actually it's a byproduct of another issue I was working with, regarding timeouts on svirt backends, main benefit here is just to not need to input the password, and avoid the risk of having keys missing when there's high network load (which correlates with connection timeout messages) which was an issue in the past. You can give a look to poo#41504 Security wise, it's not my concern atm but rather stability and safety that the connection can be stablished... |
|
@foursixnine make sense, thanks for an explanation. I'd still explain the motivation in commit message or pointed out poo#41504. (if you search in git, you usually don't check PR on the web) |
|
@pevik makes sense tbh :) I'll do that at a later point |
|
please reopen when you continue the work. Thanks. Closing to clean up old open PRs. |
Attempt to allow key based authentication for ssh based backends.
There's still the VNC part of this that I haven't quite found the way how to make it work, as it's still using password auth.