Ovirt devel - Feb 2009 - [PATCH node] Use --no-check-certificate with wget

This patch adds the --no-check-certificate to wget for all wgets since
the server now requires ssl and doesn't have a valid cert.  I'm not
certain this is the best way to handle this case but I'm posting this
patch anyway to see if it works and if it's an acceptable solution.
Note that I have not yet tested this either. :)

Signed-off-by: Ian Main <imain at redhat.com>
---
 ovirt-listen-awake/ovirt-listen-awake.c |    2 +-
 scripts/ovirt                           |    2 +-
 scripts/ovirt-awake                     |    2 +-
 scripts/ovirt-early                     |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ovirt-listen-awake/ovirt-listen-awake.c
b/ovirt-listen-awake/ovirt-listen-awake.c
index 7ecd0a7..9af5bbf 100644
--- a/ovirt-listen-awake/ovirt-listen-awake.c
+++ b/ovirt-listen-awake/ovirt-listen-awake.c
@@ -208,7 +208,7 @@ int main(int argc, char *argv[])
       // (in particular, which DNS server to use to resolve, and which
       // domainname).  Until I come up with a good solution for that, I'll
       // have to leave this as-is.
-      system("wget -q http://192.168.50.2:80/ipa/config/krb5.ini -O
/etc/krb5.conf");
+      system("wget -q --no-check-certificate
http://192.168.50.2:80/ipa/config/krb5.ini -O /etc/krb5.conf");
       system("ovirt-awake start 192.168.50.2 12120
/etc/libvirt/krb5.tab");
     }
     else {
diff --git a/scripts/ovirt b/scripts/ovirt
index 4c336ae..8296783 100755
--- a/scripts/ovirt
+++ b/scripts/ovirt
@@ -18,7 +18,7 @@ start() {
     if [ -n "$SRV_HOST" -a -n "$SRV_PORT" ]; then
         krb5_conf=/etc/krb5.conf
         # FIXME this is IPA specific
-        wget -q \
+        wget -q --no-check-certificate \
             http://$SRV_HOST:$SRV_PORT/ipa/config/krb5.ini -O $krb5_conf.tmp
         if [ $? -ne 0 ]; then
             log "Failed to get $krb5_conf"; return 1
diff --git a/scripts/ovirt-awake b/scripts/ovirt-awake
index c369933..56fcb57 100644
--- a/scripts/ovirt-awake
+++ b/scripts/ovirt-awake
@@ -64,7 +64,7 @@ start () {
             if [ -n "$KEYTAB" -a -n "$KEYTAB_FILE" ]; then
                 echo "Retrieving keytab: '$KEYTAB'"
 
-                wget -q "$KEYTAB"
--output-document="$KEYTAB_FILE"
+                wget -q "$KEYTAB" --no-check-certificate
--output-document="$KEYTAB_FILE"
             else
                 echo "No keytab to retrieve"
             fi
diff --git a/scripts/ovirt-early b/scripts/ovirt-early
index b757614..5194446 100755
--- a/scripts/ovirt-early
+++ b/scripts/ovirt-early
@@ -39,7 +39,7 @@ configure_from_network() {
                     cfgdb=$(mktemp)
                     get_mac_addresses
                     log "MACs to use: $macs"
-                    wget -O $cfgdb \
+                    wget -O $cfgdb --no-check-certificate \
                      
"http://$SRV_HOST:$SRV_PORT/ovirt/managed_node/config?host=$(hostname)&macs=$macs"
                     if [ $? -eq 0 ]; then
                         log "Remote configuration bundle retrieved to
$cfgdb"
-- 
1.6.0.6

Ian Main wrote:
> This patch adds the --no-check-certificate to wget for all wgets since
> the server now requires ssl and doesn't have a valid cert.  I'm not
> certain this is the best way to handle this case but I'm posting this
> patch anyway to see if it works and if it's an acceptable solution.
> Note that I have not yet tested this either. :)
ovirt-listen-awake is only used on the 'demo setup' (i.e. running guests
on the host where the ovirt-appliance is running) so no issues with that.

The other two places are during normal oVirt Node startup.  This method of 
retrieving keytabs from the oVirt Server was already insecure (and noted 
as such) so this doesn't make it any worse.  However, we should make it 
clear that just because the keytabs are retrieved over SSL there is still 
no guarantee of security using this scheme.

The only secure method of distributing keytabs at the moment is providing 
them via sneaker-net on a USB thumb drive.

Perry
> Signed-off-by: Ian Main <imain at redhat.com>
> ---
>  ovirt-listen-awake/ovirt-listen-awake.c |    2 +-
>  scripts/ovirt                           |    2 +-
>  scripts/ovirt-awake                     |    2 +-
>  scripts/ovirt-early                     |    2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/ovirt-listen-awake/ovirt-listen-awake.c
b/ovirt-listen-awake/ovirt-listen-awake.c
> index 7ecd0a7..9af5bbf 100644
> --- a/ovirt-listen-awake/ovirt-listen-awake.c
> +++ b/ovirt-listen-awake/ovirt-listen-awake.c
> @@ -208,7 +208,7 @@ int main(int argc, char *argv[])
>        // (in particular, which DNS server to use to resolve, and which
>        // domainname).  Until I come up with a good solution for that,
I'll
>        // have to leave this as-is.
> -      system("wget -q http://192.168.50.2:80/ipa/config/krb5.ini -O
/etc/krb5.conf");
> +      system("wget -q --no-check-certificate
http://192.168.50.2:80/ipa/config/krb5.ini -O /etc/krb5.conf");
>        system("ovirt-awake start 192.168.50.2 12120
/etc/libvirt/krb5.tab");
>      }
>      else {
> diff --git a/scripts/ovirt b/scripts/ovirt
> index 4c336ae..8296783 100755
> --- a/scripts/ovirt
> +++ b/scripts/ovirt
> @@ -18,7 +18,7 @@ start() {
>      if [ -n "$SRV_HOST" -a -n "$SRV_PORT" ]; then
>          krb5_conf=/etc/krb5.conf
>          # FIXME this is IPA specific
> -        wget -q \
> +        wget -q --no-check-certificate \
>              http://$SRV_HOST:$SRV_PORT/ipa/config/krb5.ini -O
$krb5_conf.tmp
>          if [ $? -ne 0 ]; then
>              log "Failed to get $krb5_conf"; return 1
> diff --git a/scripts/ovirt-awake b/scripts/ovirt-awake
> index c369933..56fcb57 100644
> --- a/scripts/ovirt-awake
> +++ b/scripts/ovirt-awake
> @@ -64,7 +64,7 @@ start () {
>              if [ -n "$KEYTAB" -a -n "$KEYTAB_FILE" ];
then
>                  echo "Retrieving keytab: '$KEYTAB'"
>  
> -                wget -q "$KEYTAB"
--output-document="$KEYTAB_FILE"
> +                wget -q "$KEYTAB" --no-check-certificate
--output-document="$KEYTAB_FILE"
>              else
>                  echo "No keytab to retrieve"
>              fi
> diff --git a/scripts/ovirt-early b/scripts/ovirt-early
> index b757614..5194446 100755
> --- a/scripts/ovirt-early
> +++ b/scripts/ovirt-early
> @@ -39,7 +39,7 @@ configure_from_network() {
>                      cfgdb=$(mktemp)
>                      get_mac_addresses
>                      log "MACs to use: $macs"
> -                    wget -O $cfgdb \
> +                    wget -O $cfgdb --no-check-certificate \
>                       
"http://$SRV_HOST:$SRV_PORT/ovirt/managed_node/config?host=$(hostname)&macs=$macs"
>                      if [ $? -eq 0 ]; then
>                          log "Remote configuration bundle retrieved to
$cfgdb"

-- 
|=-        Red Hat, Engineering, Emerging Technologies, Boston        -=|
|=-                     Email: pmyers at redhat.com                      -=|
|=-         Office: +1 412 474 3552   Mobile: +1 703 362 9622         -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|