<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 11/08/2016 11:46 AM, Archana Singh
wrote:<br>
</div>
<blockquote
cite="mid:fbfb9c7b-ad09-6b12-2940-2335dc9729bf@linux.vnet.ibm.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
<p><b>Currently</b>:</p>
<div class="edit-comment-hide">
<div class="comment-body markdown-body markdown-format
js-comment-body">
<p>Upon migrating guest to remote server, password less ssh is
permanent.<br>
Due to that, from terminal able to log on to the remote
server with out prompting password</p>
<p><b>Propose</b>:</p>
<p>Upon completion of migration, password-less ssh has to
revoke.</p>
<p>Option 1: As migration need password-less ssh, without
which migration cannot be done, so it should be delete once
migration is completed.</p>
</div>
</div>
</blockquote>
I can live with option (1) as long as:<br>
<br>
- we clearly warn the user that the password-less setup made by
Kimchi will be undone<br>
after the migration;<br>
<br>
- if there is an existing password-less setup environment we do not
undo it.<br>
<br>
<blockquote
cite="mid:fbfb9c7b-ad09-6b12-2940-2335dc9729bf@linux.vnet.ibm.com"
type="cite">
<div class="edit-comment-hide">
<div class="comment-body markdown-body markdown-format
js-comment-body">
<p>Option 2: lets update user that on migration password-less
ssh will be established till migration is not completed(May
be as document or in UI). And ask user if he was to delete
the password-less ssh login or not in migration UI panel.<br>
</p>
</div>
</div>
</blockquote>
<br>
I think you mean that we can provide the user the option to either
retain the password-less<br>
setup or not. I think this is the best option.<br>
<br>
<br>
<blockquote
cite="mid:fbfb9c7b-ad09-6b12-2940-2335dc9729bf@linux.vnet.ibm.com"
type="cite">
<div class="edit-comment-hide">
<div class="comment-body markdown-body markdown-format
js-comment-body">
<p> </p>
Option 3: Using libvirt.openauth. However I was not able to
figure out any proper documentation on how to use openauth.<br>
</div>
</div>
</blockquote>
<br>
Same here.<br>
<br>
<blockquote
cite="mid:fbfb9c7b-ad09-6b12-2940-2335dc9729bf@linux.vnet.ibm.com"
type="cite">
<div class="edit-comment-hide">
<div class="comment-body markdown-body markdown-format
js-comment-body"> <br>
As this is kind of security issue, we can go with Option - 1
to fix the issue for now, enhancement is always possible. :)<br>
</div>
</div>
</blockquote>
<br>
<br>
In my opinion if you implement (1) there's not much extra code to go
for (2). It would be<br>
basically an extra parameter in the 'migrate' API to indicate
whether the password-less setup<br>
should be undone and, if the parameter is 'true', undo it. I believe
the solution should<br>
aim to (2).<br>
<br>
<br>
Daniel<br>
<blockquote
cite="mid:fbfb9c7b-ad09-6b12-2940-2335dc9729bf@linux.vnet.ibm.com"
type="cite">
<div class="edit-comment-hide">
<div class="comment-body markdown-body markdown-format
js-comment-body"> <br>
Thanks,<br>
Archana Singh<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kimchi-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Kimchi-devel@ovirt.org">Kimchi-devel@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/kimchi-devel">http://lists.ovirt.org/mailman/listinfo/kimchi-devel</a>
</pre>
</blockquote>
<br>
</body>
</html>