qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

From: Konstantin Kostiuk
Subject: Re: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows
Date: Mon, 22 Apr 2024 11:51:02 +0300
Hi Aidan,

I tried these patches with OpenSSH Server installed from Windows Features and public key
authorization does not work. Guest OS Windows Server 2022. Do you expect to use OpenSSH
from Windows Features or not?
As OpenSSH Server is a build feature for Server 2022 and new versions of Windows 10/11, I expect
that patch should work with it too.

Also from MSDN https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui
```
If you downloaded the OpenSSH beta from the GitHub repo at PowerShell/Win32-OpenSSH, follow the instructions listed there, not the ones in this article
```
So, why we should look at beta version behavior while MS provides a stable one from Features?



I debug the problem and the reason for ignoring SSH keys is the permissions of administrators_authorized_keys.
SSH server does not allow S-1-5-11 and S-1-1-0 permission.

4384 2024-04-22 01:19:57.763 debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
4384 2024-04-22 01:19:57.763 debug3: Bad permissions. Try removing permissions for user: \\Everyone (S-1-1-0) on file C:/ProgramData/ssh/administrators_authorized_keys.
4384 2024-04-22 01:19:57.763 Authentication refused.

6824 2024-04-22 01:21:13.966 debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
6824 2024-04-22 01:21:13.966 debug3: Bad permissions. Try removing permissions for user: NT AUTHORITY\\Authenticated Users (S-1-5-11) on file C:/ProgramData/ssh/administrators_authorized_keys.
6824 2024-04-22 01:21:13.966 Authentication refused.

I attached 2 screenshots of permissions. The first one with permission that file has after
guest-ssh-add-authorized-keys command and the second one with proper permissions
to make the SSH server happy.



Screenshot_20240422_112242.png
Screenshot_20240422_112352.png


Best Regards,
Konstantin Kostiuk.


On Fri, Mar 29, 2024 at 5:32 PM <aidan_leuck@selinc.com> wrote:
From: aidaleuc <aidan_leuck@selinc.com>

This patch aims to implement guest-ssh-add-authorized-keys, guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys
for Windows. This PR is based on Microsoft's OpenSSH implementation https://github.com/PowerShell/Win32-OpenSSH. The guest agents
will support Kubevirt and allow guest agent propagation to be used to dynamically inject SSH keys.
https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent

Changes since v5
* Fixed spurious formatting

Changes since v4
* Moved qapi/error.h to commands-common-ssh.c
* Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h"
* Removed stbool.h from commands-common-ssh.h

Changes since v3
* Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
* Fixed styling errors discovered by checkpatch.pl
* Moved some header includes to the commands-common-ssh.h

Changes since v2
* Set indent to 4 spaces
* Moved all comments to C style comments
* Fixed a segfault bug in get_user_info function related to non zeroed memory when a user did not exist.
* Used g_new0 instead of g_malloc where applicable
* Modified newlines in qapi-schema.json
* Added newlines at the end of all files
* GError functions now use g_autoptr instead of being freed manually.
* Refactored get_ssh_folder to remove goto error statement
* Fixed uninitialized variable pgDataW
* Modified patch order so that the generalization patch is the first patch
* Removed unnecssary ZeroMemory calls

Changes since v1
* Fixed styling errors
* Moved from wcstombs to g_utf functions
* Removed unnecessary if checks on calls to free
* Fixed copyright headers
* Refactored create_acl functions into base function, admin function and user function
* Removed unused user count function
* Split up refactor of existing code into a separate patch

aidaleuc (2):
  Refactor common functions between POSIX and Windows implementation
  Implement SSH commands in QEMU GA for Windows

 qga/commands-common-ssh.c  |  50 +++
 qga/commands-common-ssh.h  |  10 +
 qga/commands-posix-ssh.c   |  47 +--
 qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
 qga/commands-windows-ssh.h |  26 ++
 qga/meson.build            |  12 +-
 qga/qapi-schema.json       |  17 +-
 7 files changed, 893 insertions(+), 58 deletions(-)
 create mode 100644 qga/commands-common-ssh.c
 create mode 100644 qga/commands-common-ssh.h
 create mode 100644 qga/commands-windows-ssh.c
 create mode 100644 qga/commands-windows-ssh.h

--
2.34.1

reply via email to
[Prev in Thread] Current Thread [Next in Thread]