Closed jli-cparta closed 2 years ago
Thanks for the PR!
libvirt connection URI does not support password auth without agent , but I think the way you implemented it is clever, because it does not break the spec.
It would still likely expose the password in the logs and output, would it?
It would still likely expose the password in the logs and output, would it?
Not that I can find. It's in the tfstate
files (of course). And if you enable debug-logging from terraform it will show up.
But it's not visible in standard output, nor is it in any log files. Not any that I can find, anyway. Searched everything in /var/log/*
and the home directory of the user.
@dmacvicar Are you OK to pull this request?
I am not convinced this is a good idea.
libvirt has support for passwords with ssh, but it is a password
auth-method" (see here), which resolves to look the username password in a libvirt-specific auth file (see here).
Therefore, it may be confusing behavior for people used to libvirt that the ssh password resolves to the ssh account password. Given that the standard way of accessing an ssh server is using ssh-keys, I'd prefer to keep things as they were with libvirt.
Now, what we could do it is add a "unnoficial" auth method ssh-password
, and make it explicit in the URL, which would then make the password of the URL behave like this PR describes, which can be useful for Vault ssh otp-passwords and such.
What do you think?
Fine with me. I just need some way to pass a password through, and preferably one that doesn't create files with it in cleartext on disk.
So you'd like to see something like this?
qemu+ssh://USER:PASS@kvm-server.example.com/system?sshauth=ssh-password
@dmacvicar Anything else you need?
Thanks for the contribution.
While a trivial addition, this allows using secret providers (e.g. Hashicorp Vault) to provide plaintext passwords instead of copying private key files around.