On Tue, Mar 01, 2016 at 11:04:33AM +0100, Jan Tluka wrote:
Mon, Feb 29, 2016 at 05:17:27PM CET, olichtne(a)redhat.com wrote:
>From: Ondrej Lichtner <olichtne(a)redhat.com>
>
>This makes the Wizard use the CtlSecureSocket instead of the basic
>socket. In case of noninteractive mode it is automatically assumed that
>the communication between Slave and the wizard is not secured - it uses
>the "none" authentication method.
>
>In case of interactive mode, the user will be asked to provide security
>parameters that will be used for the handshake. These will also be
>included in the resulting slave machine description XML file.
>
>If the connection fails during the handshake the user will be notified
>of this.
>
>Signed-off-by: Ondrej Lichtner <olichtne(a)redhat.com>
>---
Two issues so far for wizard.
When I do ./lnst-pool-wizard -v (interactive virtual mode), the wizard won't
ask for security parameters.
That's because the Wizard doesn't connect to the virt machines... so it
isn't opening a socket. If we want, we can add the security parameters
query so that we can output it into the XML file, but they won't be
"tested" since no connection will be created.
Second, I got traceback when I specified 'ssh' auth for one of the slaves:
$ ./lnst-pool-wizard
Enter path to a pool directory (default: '/home/igyn/.lnst/pool/'):
/home/igyn/.lnst/pool-secure-2
Path '/home/igyn/.lnst/pool-secure-2' does not exist
Create dir '/home/igyn/.lnst/pool-secure-2'? [Y/n]: y
Dir '/home/igyn/.lnst/pool-secure-2' has been created
Enter hostname: lnst1
Enter port (default: 9999):
Enter authentication type (default: none): ssh
Traceback (most recent call last):
File "./lnst-pool-wizard", line 92, in <module>
main()
File "./lnst-pool-wizard", line 86, in main
wizard.interactive(hostlist, pool_dir)
File "/home/igyn/tmp/lnst/lnst/Controller/Wizard.py", line 74, in
interactive
sock = self._get_connection(hostname, port, sec_params)
File "/home/igyn/tmp/lnst/lnst/Controller/Wizard.py", line 374, in
_get_connection
ret.handshake(sec_params)
File "/home/igyn/tmp/lnst/lnst/Controller/CtlSecSocket.py", line 62, in
handshake
self._ssh_handshake()
File "/home/igyn/tmp/lnst/lnst/Controller/CtlSecSocket.py", line 161, in
_ssh_handshake
ctl_ssh_key = load_pem_private_key(f.read(), None, backend)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization.py",
line 20, in load_pem_private_key
return backend.load_pem_private_key(data, password)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/multibackend.py",
line 276, in load_pem_private_key
return b.load_pem_private_key(data, password)
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 694, in load_pem_private_key
password,
File
"/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py",
line 863, in _load_key
raise password_func.exception
TypeError: Password was not given but private key is encrypted.
Right... the SecSocket classes don't support password encrypted keys...
if they did, you'd have to include the password in the lnst-ctl.conf
file which I don't think anyone will want to do... What are your
thoughts on this?
If it's a different problem (your ssh key isn't encrypted) then I'll
have to investigate further...
-Ondrej