----- Original Message ----- > From: "Hoot Thompson" <hoot(a)ptpnow.com&gt; > To: users(a)ovirt.org > Sent: Tuesday, October 21, 2014 3:52:24 AM > Subject: [ovirt-users] [Fwd: options for root and password] > > > > Is there an alternative to the root/paasword approach to managing hosts > (by the engine)? Our preference would be keys/passphrase if that's > possible. IIRC we already allow that, no? In the "new host" dialog you can choose "ssh public key". Best,

From: "Sven Kieske" <s.kieske(a)mittwald.de&gt; To: users(a)ovirt.org Sent: Tuesday, October 21, 2014 10:21:17 AM Subject: Re: [ovirt-users] [Fwd: options for root and password] On 21/10/14 09:05, Yedidyah Bar David wrote: > ----- Original Message ----- >> From: "Hoot Thompson" <hoot(a)ptpnow.com&gt; >> To: users(a)ovirt.org >> Sent: Tuesday, October 21, 2014 3:52:24 AM >> Subject: [ovirt-users] [Fwd: options for root and password] >> >> >> >> Is there an alternative to the root/paasword approach to managing hosts >> (by the engine)? Our preference would be keys/passphrase if that's >> possible. > > IIRC we already allow that, no? In the "new host" dialog you can choose > "ssh public key". > > Best, > Well there is this wiki page: http://www.ovirt.org/Features/Ssh_Abilities but it is from 2013 and has this security hole: "Currently we don't enforce fingerprint validation." I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.

From: "Sven Kieske" <s.kieske(a)mittwald.de&gt; To: users(a)ovirt.org Sent: Tuesday, October 21, 2014 10:30:34 AM Subject: Re: [ovirt-users] [Fwd: options for root and password] On 21/10/14 09:21, Sven Kieske wrote: > > > On 21/10/14 09:05, Yedidyah Bar David wrote: >> ----- Original Message ----- >>> From: "Hoot Thompson" <hoot(a)ptpnow.com&gt; >>> To: users(a)ovirt.org >>> Sent: Tuesday, October 21, 2014 3:52:24 AM >>> Subject: [ovirt-users] [Fwd: options for root and password] >>> >>> >>> >>> Is there an alternative to the root/paasword approach to managing hosts >>> (by the engine)? Our preference would be keys/passphrase if that's >>> possible. >> >> IIRC we already allow that, no? In the "new host" dialog you can choose >> "ssh public key". >> >> Best, >> > > Well there is this wiki page: > > http://www.ovirt.org/Features/Ssh_Abilities > > but it is from 2013 and has this security hole: > > "Currently we don't enforce fingerprint validation." > > I don't know if this is still valid, I don't find any > options regarding public/private keys in ovirt 3.3. but > I would be very interested in this topic to tighten security. > I found this: http://www.ovirt.org/OVirt_Administration_Guide#Host_Tasks "Select an authentication method to use with the host. 1. Enter the root user's password to use password authentication. 2. Copy the key displayed in the SSH PublicKey field to /root/.ssh/authorized_keys on the host to use public key authentication." I guess this just works from version 3.4 upwards or also for 3.3.? if for 3.3. since which z stream release?

From: "Sven Kieske" <s.kieske(a)mittwald.de&gt; To: users(a)ovirt.org Sent: Tuesday, October 21, 2014 10:40:39 AM Subject: Re: [ovirt-users] [Fwd: options for root and password] On 21/10/14 09:21, Sven Kieske wrote: > I don't know if this is still valid, I don't find any > options regarding public/private keys in ovirt 3.3. but > I would be very interested in this topic to tighten security. It just turns out this already works in ovirt 3.3.2 maybe even earlier, but I would like to know if the point about host key validation on the mentioned wiki page is still true, as I think this would be cve-worthy.