Hmm, rats. We definitely don't want to SSH into servers as root with an unencrypted key. I'll look into the PolicyKit to allow SSH as another user.
I'll also note that problems with unencrypted keys can be mitigated a bit by hardcoding a whitelist of allowed commands and IPs in authorized_keys. > If you've set up qemu+ssh so that a password is needed Well, that's not quite the right way to phrase it. I'm simply using qemu+ssh in it's default configuration, and SSH best practices recommend a passphrase. I was hoping that Foreman would work with this, or would somehow encrypt a passphrase. I'll look into filing an enhancement request. Does Foreman support KVM remote management over TLS+X509 certs <http://wiki.libvirt.org/page/TLSDaemonConfiguration>? Thanks, -= Stefan On Wed, Sep 28, 2016 at 9:21 AM, Sean O'Keeffe <[email protected]> wrote: > > > On Wed, Sep 28, 2016 at 10:53 AM, Daniel Lobato Garcia < > [email protected]> wrote: > >> On 09/27, Stefan Lasiewski wrote: >> > I'm hooking Foreman into two servers which run KVM & Libvirt. I'm >> following 5.2.5 >> > Libvirt Notes >> > <https://www.theforeman.org/manuals/1.11/index.html#5.2.5LibvirtNotes>, >> and >> > I created a SSH Key for testing. I can successfully reach the remote >> > hypervisors with a command like `virsh -c >> > qemu+ssh://hypervisor.example.com/system list`. >> >> If you've set up qemu+ssh so that a password is needed, I'm afraid you'd >> have to create a feature request (http://projects.theforeman.org/issues/ >> ). >> >> You have to change your hypervisor /etc/ssh/sshd_config to allow root >> login without-password and ensure your ssh public key is in the >> hypervisor /root/.ssh/authorized_keys >> > > You don't actually have to use the root user, you can configure policykit > to allow connected to libvirt connection from another user, Google'ing > "libvirt non root user" should help you out there. > > > >> > How do I add the passphrase to Foreman so that Foreman can log in to the >> > remote server to manage the compute resources? I see some mention of >> `rake` >> > tasks at https://www.theforeman.org/manuals/1.11/index.html#5.2.10Pas >> swordEncryption >> > , but I'm confused if that applies to what I am trying to do, or how to >> > encrypt something like a passphrase for libvirt. >> >> that's unrelated, it applies to the password in other compute resources, >> libvirt does not have that field. >> >> > >> > Thanks, >> > >> > -= Stefan >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Foreman users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To post to this group, send email to [email protected]. >> > Visit this group at https://groups.google.com/group/foreman-users. >> > For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> Daniel Lobato Garcia >> >> @dLobatog >> blog.daniellobato.me >> daniellobato.me >> >> GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30 >> Keybase: https://keybase.io/elobato >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Foreman users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/foreman-users. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Foreman users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/foreman-users/FvtyMn_BZ9g/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/foreman-users. > For more options, visit https://groups.google.com/d/optout. > -- Stefan Lasiewski Email: [email protected] Computer System Engineer III Email: [email protected] NERSC Data Infrastructure Group National Energy Research Scientific Computing Center (NERSC <http://nersc.gov>) Lawrence Berkeley National Laboratory -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
