search for: key_string

v1 was here: https://www.redhat.com/archives/libguestfs/2019-November/msg00271.html In v2 I just updated the way paths are handled. Note this series requires the following patch to common which adds the common/options/key-option.pod file: https://www.redhat.com/archives/libguestfs/2019-November/msg00269.html Rich.

The libguestfs part of this change. Also a virt-v2v part will be needed. The first patch adds a new feature to podwrapper so that we can use __INCLUDE:file__ directives within the POD itself (instead of using --insert, and one day replacing that). The second patch shows how this change could be used for the included parts of the guestfish man page, including the non-English pages under

...ible security problem with malicious guests (CVE-2010-3851). +=item B<--key> SELECTOR + +Specify a key for LUKS, to automatically open a LUKS device when using +the inspection. C<SELECTOR> can be in one of the following formats: + +=over 4 + +=item B<--key> C<DEVICE>:key:KEY_STRING + +Use the specified C<KEY_STRING> as passphrase. + +=item B<--key> C<DEVICE>:file:FILENAME + +Read the passphrase from F<FILENAME>. + +=back + =item B<--keys-from-stdin> Read key or passphrase parameters from stdin. The default is diff --git a/cat/virt-log.pod b/...

Hi, the following series adds a --key option in the majority of tools: this makes it possible to pass LUKS credentials programmatically, avoid the need to manually input them, or unsafely pass them via stdin. Thanks, Pino Toscano (2): mltools: create a cmdline_options struct Introduce a --key option in tools that accept keys builder/cmdline.ml | 2 +-

...ons/key-option.pod @@ -1,15 +1,16 @@ =item B<--key> SELECTOR Specify a key for LUKS, to automatically open a LUKS device when using -the inspection. +the inspection. C<ID> must be the libguestfs device name of the LUKS +device. =over 4 -=item B<--key> C<DEVICE>:key:KEY_STRING +=item B<--key> C<ID>:key:KEY_STRING Use the specified C<KEY_STRING> as passphrase. -=item B<--key> C<DEVICE>:file:FILENAME +=item B<--key> C<ID>:file:FILENAME Read the passphrase from F<FILENAME>. diff --git a/options/keys.c b/options/keys....

This combined patch series enables to decrypt LUKS devices on inspection by allowing the UUID of the LUKS device with the --key syntax. I opted for reusing the option instead of adding another one, as I think that device names and UUIDs are different enough that can be properly distinguished. A test for this (patch #4) can be applied only when the patches for common are applied, and the

This adds a customize option: virt-customize --ssh-inject USER virt-customize --ssh-inject USER:string:KEY_STRING virt-customize --ssh-inject USER:file:FILENAME (ditto for virt-builder and virt-sysprep) In each case this injects into the guest user USER a) the current (host) user's ssh pubkey b) the key specified as KEY_STRING c) the key in FILENAME adding it to ~USER/.ssh/authorized_keys in the guest....

This is a patch series against common and libguestfs which unifies all the documentation about --key SELECTOR so it only appears in a single file, but is included in all the other POD documentation. The overall effect of the change should be completely neutral. Rich.

...); if (!key.device) error (EXIT_FAILURE, errno, "strdup"); /* 2: key type */ - elem = strtok_r (NULL, ":", &saveptr); - if (!elem) - goto invalid_selector; - else if (STREQ (elem, "key")) + if (STREQ (fields[1], "key")) key.type = key_string; - else if (STREQ (elem, "file")) + else if (STREQ (fields[1], "file")) key.type = key_file; else goto invalid_selector; /* 3: actual key */ - elem = strtok_r (NULL, ":", &saveptr); - if (!elem) - goto invalid_selector; switch (key.type)...

This adds a customize option: virt-customize --ssh-inject USER[=KEY] virt-builder --ssh-inject USER[=KEY] virt-sysprep --ssh-inject USER[=KEY] In each case this either injects the current (host) user's ssh pubkey into the guest user USER (adding it to ~USER/.ssh/authorized_keys in the guest), or you can specify a particular key. For example: virt-builder fedora-20 --ssh-inject root

...phant(struct crypt_config *cc, struct dm_crypt_request *d kunmap_atomic(data); out: - kzfree(ks); - kzfree(es); + kfree_sensitive(ks); + kfree_sensitive(es); skcipher_request_free(req); return r; } @@ -2247,7 +2247,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string key = request_key(key_string[0] == 'l' ? &key_type_logon : &key_type_user, key_desc + 1, NULL); if (IS_ERR(key)) { - kzfree(new_key_string); + kfree_sensitive(new_key_string); return PTR_ERR(key); } @@ -2257,14 +2257,14 @@ static int crypt_set_keyring_key(struct c...

...); if (!key.device) error (EXIT_FAILURE, errno, "strdup"); /* 2: key type */ - elem = strtok_r (NULL, ":", &saveptr); - if (!elem) - goto invalid_selector; - else if (STREQ (elem, "key")) + if (STREQ (fields[1], "key")) key.type = key_string; - else if (STREQ (elem, "file")) + else if (STREQ (fields[1], "file")) key.type = key_file; else goto invalid_selector; /* 3: actual key */ - elem = strtok_r (NULL, ":", &saveptr); - if (!elem) - goto invalid_selector; switch (key.type)...

...phant(struct crypt_config *cc, struct dm_crypt_request *d kunmap_atomic(data); out: - kzfree(ks); - kzfree(es); + kfree_sensitive(ks); + kfree_sensitive(es); skcipher_request_free(req); return r; } @@ -2294,7 +2294,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string key = request_key(type, key_desc + 1, NULL); if (IS_ERR(key)) { - kzfree(new_key_string); + kfree_sensitive(new_key_string); return PTR_ERR(key); } @@ -2304,7 +2304,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string if (ret < 0) { up_read(&a...

...phant(struct crypt_config *cc, struct dm_crypt_request *d kunmap_atomic(data); out: - kzfree(ks); - kzfree(es); + kfree_sensitive(ks); + kfree_sensitive(es); skcipher_request_free(req); return r; } @@ -2294,7 +2294,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string key = request_key(type, key_desc + 1, NULL); if (IS_ERR(key)) { - kzfree(new_key_string); + kfree_sensitive(new_key_string); return PTR_ERR(key); } @@ -2304,7 +2304,7 @@ static int crypt_set_keyring_key(struct crypt_config *cc, const char *key_string if (ret < 0) { up_read(&a...

v5: - Break the btrfs patch out as a separate patch to be processed independently. - Update the commit log of patch 1 to make it less scary. - Add a kzfree backward compatibility macro in patch 2. v4: - Break out the memzero_explicit() change as suggested by Dan Carpenter so that it can be backported to stable. - Drop the "crypto: Remove unnecessary

This patchset makes a global rename of the kzfree() to kfree_sensitive() to highlight the fact buffer clearing is only needed if the data objects contain sensitive information like encrpytion key. The fact that kzfree() uses memset() to do the clearing isn't totally safe either as compiler may compile out the clearing in their optimizer. Instead, the new kfree_sensitive() uses

v4: - Break out the memzero_explicit() change as suggested by Dan Carpenter so that it can be backported to stable. - Drop the "crypto: Remove unnecessary memzero_explicit()" patch for now as there can be a bit more discussion on what is best. It will be introduced as a separate patch later on after this one is merged. This patchset makes a global rename of the kzfree()

v4: - Break out the memzero_explicit() change as suggested by Dan Carpenter so that it can be backported to stable. - Drop the "crypto: Remove unnecessary memzero_explicit()" patch for now as there can be a bit more discussion on what is best. It will be introduced as a separate patch later on after this one is merged. This patchset makes a global rename of the kzfree()

The first patch fixes a rather serious bug, the second patch allows multiple --key parameters and default parameters. There is a third patch to libguestfs which adds a test, coming up. I did not yet review and fix the documentation. I think we need to centralize it in one place because at the moment the same documentation for --key is copy/pasted all over the tools. Rich.

v1: https://www.redhat.com/archives/libguestfs/2019-November/msg00036.html