Tue, Mar 01, 2016 at 11:21:13AM CET, olichtne(a)redhat.com wrote:
On Tue, Mar 01, 2016 at 11:04:33AM +0100, Jan Tluka wrote:
> Mon, Feb 29, 2016 at 05:17:27PM CET, olichtne(a)redhat.com wrote:
> >From: Ondrej Lichtner <olichtne(a)redhat.com>
> >
> >This makes the Wizard use the CtlSecureSocket instead of the basic
> >socket. In case of noninteractive mode it is automatically assumed that
> >the communication between Slave and the wizard is not secured - it uses
> >the "none" authentication method.
> >
> >In case of interactive mode, the user will be asked to provide security
> >parameters that will be used for the handshake. These will also be
> >included in the resulting slave machine description XML file.
> >
> >If the connection fails during the handshake the user will be notified
> >of this.
> >
> >Signed-off-by: Ondrej Lichtner <olichtne(a)redhat.com>
> >---
>
> Two issues so far for wizard.
>
> When I do ./lnst-pool-wizard -v (interactive virtual mode), the wizard won't
> ask for security parameters.
That's because the Wizard doesn't connect to the virt machines... so it
isn't opening a socket. If we want, we can add the security parameters
query so that we can output it into the XML file, but they won't be
"tested" since no connection will be created.
>
> Second, I got traceback when I specified 'ssh' auth for one of the slaves:
>
> $ ./lnst-pool-wizard
> Enter path to a pool directory (default: '/home/igyn/.lnst/pool/'):
/home/igyn/.lnst/pool-secure-2
> Path '/home/igyn/.lnst/pool-secure-2' does not exist
> Create dir '/home/igyn/.lnst/pool-secure-2'? [Y/n]: y
> Dir '/home/igyn/.lnst/pool-secure-2' has been created
> Enter hostname: lnst1
> Enter port (default: 9999):
> Enter authentication type (default: none): ssh
> Traceback (most recent call last):
> File "./lnst-pool-wizard", line 92, in <module>
> main()
> File "./lnst-pool-wizard", line 86, in main
> wizard.interactive(hostlist, pool_dir)
> File "/home/igyn/tmp/lnst/lnst/Controller/Wizard.py", line 74, in
interactive
> sock = self._get_connection(hostname, port, sec_params)
> File "/home/igyn/tmp/lnst/lnst/Controller/Wizard.py", line 374, in
_get_connection
> ret.handshake(sec_params)
> File "/home/igyn/tmp/lnst/lnst/Controller/CtlSecSocket.py", line 62, in
handshake
> self._ssh_handshake()
> File "/home/igyn/tmp/lnst/lnst/Controller/CtlSecSocket.py", line 161, in
_ssh_handshake
> ctl_ssh_key = load_pem_private_key(f.read(), None, backend)
> File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py",
line 20, in load_pem_private_key
> return backend.load_pem_private_key(data, password)
> File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 276, in load_pem_private_key
> return b.load_pem_private_key(data, password)
> File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 694, in load_pem_private_key
> password,
> File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 863, in _load_key
> raise password_func.exception
> TypeError: Password was not given but private key is encrypted.
Right... the SecSocket classes don't support password encrypted keys...
if they did, you'd have to include the password in the lnst-ctl.conf
file which I don't think anyone will want to do... What are your
thoughts on this?
Hmm, and if I use ssh-add to unlock my key? What's the difference? Or is
this just what openssh provides for ssh tools only?
If it's a different problem (your ssh key isn't encrypted)
then I'll
have to investigate further...
The key IS encrypted. Thanks for your advice!
>
>-Ondrej