Re: [ovirt-users] [Fwd: options for root and password]
So in trying to use keys instead of root/password, per the ovirt GUI I enter the address of the host, specify port 2222 (sshd listening here will allow ssh into root via keys), check the "SSH Public Key" button, copy the contents of the key provided in the UI to the /root/.ssh/authorized_keys file on the node being added, and get: Error while executing action: Cannot install Host with empty password. The logs show: WARN [org.ovirt.engine.core.bll.AddVdsCommand] (ajp--127.0.0.1-8702-6) [750e08ac] CanDoAction of action AddVds failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__HOST,$server *our_server's_hostname*,VDS_CANNOT_INSTALL_EMPTY_PASSWORD On 10/21/14 4:00 AM, "Yair Zaslavsky" <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sven Kieske" <s.kieske@mittwald.de> Cc: users@ovirt.org Sent: Tuesday, October 21, 2014 10:49:02 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:40:39 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:21, Sven Kieske wrote:
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
It just turns out this already works in ovirt 3.3.2 maybe even earlier, but I would like to know if the point about host key validation on the mentioned wiki page is still true, as I think this would be cve-worthy.
When host is added its ssh fingerprint is recorded in database, and is enforced from this point on. Only at Edit Host dialog it can be modified. You can also pre-fetch the fingerprint before adding the host at Add Host dialog in order to confirm that it is the correct host, it will add this fingerprint to database and enforce it when adding the host too.
CC'ing Yaniv Bronheim who was the feature owner for ssh fingerprint usage during host addition. I guess Yaniv can confirm exactly which version it was added.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
----- Original Message -----
From: "John H. Thompson (GSFC-606.2)[Computer Sciences Corporation]" <hoot@ptpnow.com> To: "Yair Zaslavsky" <yzaslavs@redhat.com>, "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Thursday, October 23, 2014 5:28:23 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
So in trying to use keys instead of root/password, per the ovirt GUI I enter the address of the host, specify port 2222 (sshd listening here will allow ssh into root via keys), check the "SSH Public Key" button, copy the contents of the key provided in the UI to the /root/.ssh/authorized_keys file on the node being added, and get:
Error while executing action: Cannot install Host with empty password.
please make sure: 1. /root/.ssh is owned by root and its mode is 0700 2. /root/.ssh/authorized_keys is owned by root and its mode is 0600 3. you run restorecon -r /root/.ssh to set correct selinux properties.
The logs show:
WARN [org.ovirt.engine.core.bll.AddVdsCommand] (ajp--127.0.0.1-8702-6) [750e08ac] CanDoAction of action AddVds failed. Reasons:VAR__ACTION__ADD,VAR__TYPE__HOST,$server *our_server's_hostname*,VDS_CANNOT_INSTALL_EMPTY_PASSWORD
On 10/21/14 4:00 AM, "Yair Zaslavsky" <yzaslavs@redhat.com> wrote:
----- Original Message -----
From: "Alon Bar-Lev" <alonbl@redhat.com> To: "Sven Kieske" <s.kieske@mittwald.de> Cc: users@ovirt.org Sent: Tuesday, October 21, 2014 10:49:02 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
----- Original Message -----
From: "Sven Kieske" <s.kieske@mittwald.de> To: users@ovirt.org Sent: Tuesday, October 21, 2014 10:40:39 AM Subject: Re: [ovirt-users] [Fwd: options for root and password]
On 21/10/14 09:21, Sven Kieske wrote:
I don't know if this is still valid, I don't find any options regarding public/private keys in ovirt 3.3. but I would be very interested in this topic to tighten security.
It just turns out this already works in ovirt 3.3.2 maybe even earlier, but I would like to know if the point about host key validation on the mentioned wiki page is still true, as I think this would be cve-worthy.
When host is added its ssh fingerprint is recorded in database, and is enforced from this point on. Only at Edit Host dialog it can be modified. You can also pre-fetch the fingerprint before adding the host at Add Host dialog in order to confirm that it is the correct host, it will add this fingerprint to database and enforce it when adding the host too.
CC'ing Yaniv Bronheim who was the feature owner for ssh fingerprint usage during host addition. I guess Yaniv can confirm exactly which version it was added.
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (2)
-
Alon Bar-Lev -
Thompson, John H. (GSFC-606.2)[Computer Sciences Corporation]