Setup SSH Authorization

Headhunterzpw edited this page Aug 2, 2016 · 27 revisions

For new versions of webvirtmgr

  1. Create SSH private key and ssh config options (On system where WebVirtMgr is installed):

    $ sudo su - nginx -s /bin/bash

    (nginx default user might be different than "nginx", "www-data" might be used : check nginx.conf)

    $ ssh-keygen

    Generating public/private rsa key pair.

    Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!

    $ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config

    $ chmod 0600 ~/.ssh/config

  2. Add webvirt user (on qemu-kvm/libvirt host server) and add it to the proper group :

    $ sudo adduser webvirtmgr

    $ sudo passwd webvirtmgr

    $ sudo usermod -G libvirtd -a webvirtmgr

on Debian the command looks like (groupname has no d appended)

$ sudo usermod -G libvirtd -a webvirtmgr
  1. Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:

    $ sudo su - nginx -s /bin/bash

    $ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host

    Or if you changed the default SSH port use:

    $ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host

Now you can test the connection by entering:

$ ssh webvirtmgr@qemu-kvm-libvirt-host

For a non-standard SSH port use:

$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host

You should connect without entering a password.

  1. Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):

On Ubuntu:

$ sudo adduser webvirtmgr libvirtd

Fedora, CentOS:

Create file /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla (permissions for user webvirtmgr):#

[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Documentation below is slightly outdated as webvirtmgr uses nginx now!

But it works with previous versions

Create SSH private key (On system where WebVirtMgr is installed)

Find directory for Apache user (Ubuntu,Debian: "www-data", Fedora,CentOS: "apache"):

$ sudo cat /etc/passwd | grep apache | tr ":" " " | awk '{print $6}'
/var/www

Create .ssh directory for Apache user:

$ sudo mkdir /var/www/.ssh
$ sudo chmod 700 /var/www/.ssh
$ sudo vi /var/www/.ssh/config

File /var/www/.ssh/config must contain:

StrictHostKeyChecking=no
UserKnownHostsFile=/dev/null 

Create SSH public key in folder /var/www/.ssh/id_rsa:

$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa

Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):

$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh

Set up SSH public key (On libvirt Host Server)

Create user for manager libvirt:

$ sudo adduser webvirtmgr

Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:

$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh

Set up permissions to manage libvirt

Ubuntu:

$ sudo adduser webvirtmgr libvirtd

Fedora, CentOS:

Create file /etc/polkit-1/localauthority/50-local.d/50-libvirt-remote-access.pkla (permissions for user webvirtmgr):

[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes