KVM - Virt-Manager on a Separate VM

Obsolesce

@storageninja said in KVM - Virt-Manager on a Separate VM:

@stacksofplates I can break your 4096 bit encryption with $5.
If your worried about state-level actors you have bigger concerns

Challenge accepted.

Pst me your email and I'll give you a key to break.

Leave me an audit trail so I can confirm.

JaredBusch

@DustinB3403

I use my user in the libvirt group so I do not have to bother with the root user.

gpasswd -a jbusch libvirt

Then this works.

scottalanmiller

@tim_g said in KVM - Virt-Manager on a Separate VM:

When I try to do a ssh-copy-id to my servers, I get this:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

This is expected, as I do not allow root logon, I do not allow password auth, and only allow RSA key based authentication.

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

Wtf is going on here... everyone is making it so difficult... it's not!

Step 1: On your KVM host, run the following command:
ssh-keygen -t rsa -b 4096 -C "KVM01_Root_SSHKey"

Step 2: On your desktop/vm used to manage the KVM host, run the following command:
ssh-keygen -t rsa -b 4096 -C "PCName_userName_SSHKey"

Step 3: On your desktop/VM, copy your public key:
cat /home/username/.ssh/id_rsa.pub
...then copy it.

Step 4: On your KVM Host, paste what you copy in Step 3 into the file here:
vi /root/.ssh/authorized_keys
...then save the file.

Step 5: On your desktop/VM using virt-manager, add the server like below... type in the host name then click connect.
No password required.

But see doing it this way has skipped a bunch of stuff that ssh-copy-id does. This will end up with more questions later on.

I would be willing to be dollars to donuts if someone uses this they will have to change permissions on that authorized_keys file because it's not created by defualt.

Seriously just generate the key (RSA is the default):

ssh-keygen -b 4096

and copy to the server:

ssh-copy-id user@server

Yes, but this assumes you've already got SSH going and unsecure enough to do a ssh-copy-id to the server. This isn't the case for me.

But you are right, generally the ssh-copy-id is the way to go as I suppose I'm the only one here who does things securely, or this is done before securing SSH on the server.

hahahahaha. Wtf are you talking about. What does "unsecure enough to do a ssh-copy-id" possibly mean?

How did you get into that state? How do the initial keys get there?

stacksofplates

@tim_g said in KVM - Virt-Manager on a Separate VM:

When I try to do a ssh-copy-id to my servers, I get this:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

This is expected, as I do not allow root logon, I do not allow password auth, and only allow RSA key based authentication.

Ok? We are talking about an initial hypervisor setup. Passwords are enabled by default. You copy your key, then shut the passwords off. Idk what the eff is going on here.....

stacksofplates

@jaredbusch said in KVM - Virt-Manager on a Separate VM:

@DustinB3403

I use my user in the libvirt group so I do not have to bother with the root user.

gpasswd -a jbusch libvirt

Then this works.

Ya idk where the root thing came from.

JaredBusch

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

Idk what the eff is going on here.....

Overcomplication of course.

stacksofplates

@storageninja said in KVM - Virt-Manager on a Separate VM:

@stacksofplates I can break your 4096 bit encryption with $5.
If your worried about state-level actors you have bigger concerns

I'm not worried about anything. I'm not the one that said anything about key security

Obsolesce

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

When I try to do a ssh-copy-id to my servers, I get this:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

This is expected, as I do not allow root logon, I do not allow password auth, and only allow RSA key based authentication.

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

Wtf is going on here... everyone is making it so difficult... it's not!

Step 1: On your KVM host, run the following command:
ssh-keygen -t rsa -b 4096 -C "KVM01_Root_SSHKey"

Step 2: On your desktop/vm used to manage the KVM host, run the following command:
ssh-keygen -t rsa -b 4096 -C "PCName_userName_SSHKey"

Step 3: On your desktop/VM, copy your public key:
cat /home/username/.ssh/id_rsa.pub
...then copy it.

Step 4: On your KVM Host, paste what you copy in Step 3 into the file here:
vi /root/.ssh/authorized_keys
...then save the file.

Step 5: On your desktop/VM using virt-manager, add the server like below... type in the host name then click connect.
No password required.

But see doing it this way has skipped a bunch of stuff that ssh-copy-id does. This will end up with more questions later on.

I would be willing to be dollars to donuts if someone uses this they will have to change permissions on that authorized_keys file because it's not created by defualt.

Seriously just generate the key (RSA is the default):

ssh-keygen -b 4096

and copy to the server:

ssh-copy-id user@server

Yes, but this assumes you've already got SSH going and unsecure enough to do a ssh-copy-id to the server. This isn't the case for me.

But you are right, generally the ssh-copy-id is the way to go as I suppose I'm the only one here who does things securely, or this is done before securing SSH on the server.

hahahahaha. Wtf are you talking about. What does "unsecure enough to do a ssh-copy-id" possibly mean?

How did you get into that state? How do the initial keys get there?

Salt.

mattbagan

@jaredbusch said in KVM - Virt-Manager on a Separate VM:

@DustinB3403

I use my user in the libvirt group so I do not have to bother with the root user.

gpasswd -a jbusch libvirt

Then this works.

Never tried it that way. I've always used:
usermod -a -G libvirt <username>

stacksofplates

@tim_g said in KVM - Virt-Manager on a Separate VM:

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

When I try to do a ssh-copy-id to my servers, I get this:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

This is expected, as I do not allow root logon, I do not allow password auth, and only allow RSA key based authentication.

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

@stacksofplates said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

Wtf is going on here... everyone is making it so difficult... it's not!

Step 1: On your KVM host, run the following command:
ssh-keygen -t rsa -b 4096 -C "KVM01_Root_SSHKey"

Step 2: On your desktop/vm used to manage the KVM host, run the following command:
ssh-keygen -t rsa -b 4096 -C "PCName_userName_SSHKey"

Step 3: On your desktop/VM, copy your public key:
cat /home/username/.ssh/id_rsa.pub
...then copy it.

Step 4: On your KVM Host, paste what you copy in Step 3 into the file here:
vi /root/.ssh/authorized_keys
...then save the file.

Step 5: On your desktop/VM using virt-manager, add the server like below... type in the host name then click connect.
No password required.

But see doing it this way has skipped a bunch of stuff that ssh-copy-id does. This will end up with more questions later on.

I would be willing to be dollars to donuts if someone uses this they will have to change permissions on that authorized_keys file because it's not created by defualt.

Seriously just generate the key (RSA is the default):

ssh-keygen -b 4096

and copy to the server:

ssh-copy-id user@server

Yes, but this assumes you've already got SSH going and unsecure enough to do a ssh-copy-id to the server. This isn't the case for me.

But you are right, generally the ssh-copy-id is the way to go as I suppose I'm the only one here who does things securely, or this is done before securing SSH on the server.

hahahahaha. Wtf are you talking about. What does "unsecure enough to do a ssh-copy-id" possibly mean?

How did you get into that state? How do the initial keys get there?

Salt.

On a physical hypervisor initial install. How do you do that?

JaredBusch

@mattbagan said in KVM - Virt-Manager on a Separate VM:

Never tried it that way. I've always used:
usermod -a -G libvirt <username>

both ways get the same job done.

StorageNinja

@tim_g said in KVM - Virt-Manager on a Separate VM:

@storageninja said in KVM - Virt-Manager on a Separate VM:

@stacksofplates I can break your 4096 bit encryption with $5.
If your worried about state-level actors you have bigger concerns

Challenge accepted.

Pst me your email and I'll give you a key to break.

Leave me an audit trail so I can confirm.

I assume you'll just ship me a beer and call it even?

Obsolesce

@storageninja said in KVM - Virt-Manager on a Separate VM:

@tim_g said in KVM - Virt-Manager on a Separate VM:

@storageninja said in KVM - Virt-Manager on a Separate VM:

@stacksofplates I can break your 4096 bit encryption with $5.
If your worried about state-level actors you have bigger concerns

Challenge accepted.

Pst me your email and I'll give you a key to break.

Leave me an audit trail so I can confirm.

I assume you'll just ship me a beer and call it even?

Ha, sounds good.

scottalanmiller

Who spends $5 on a wrench?

travisdh1

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

Who spends $5 on a wrench?

Anyone who goes to a brick and mortar store.

Obsolesce

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

Who spends $5 on a wrench?

THe cheapest one I found on Amazon is $4.22. Better hope that comes with free shipping.
https://www.amazon.com/s/ref=sr_st_price-asc-rank?keywords=wrench&fst=as%3Aon&rh=n%3A228013%2Cn%3A328182011%2Cn%3A551238%2Ck%3Awrench&qid=1512762244&sort=price-asc-rank

scottalanmiller

@travisdh1 said in KVM - Virt-Manager on a Separate VM:

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

Who spends $5 on a wrench?

Anyone who goes to a brick and mortar store.

See.... you'd just use a brick for a fraction of the price.

travisdh1

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

@travisdh1 said in KVM - Virt-Manager on a Separate VM:

@scottalanmiller said in KVM - Virt-Manager on a Separate VM:

Who spends $5 on a wrench?

Anyone who goes to a brick and mortar store.

See.... you'd just use a brick for a fraction of the price.

Just steal a loose brick!

bnrstnr

I've got an old CRT monitor sitting in the corner that could probably do the trick

DustinB3403

@jaredbusch said in KVM - Virt-Manager on a Separate VM:

@DustinB3403

I use my user in the libvirt group so I do not have to bother with the root user.

gpasswd -a jbusch libvirt

Then this works.

Holy fuck it took way to long to get to this point.

So here is the stupid approach. 

ssh-keygen -t rsa
generating. . .
. . . 
. . . 
The key fingerprint is . . .

ssh-copy-id -i /home/user/.ssh/d_rsa.pub user@kvm-server-ip

Login with user@kvm-server-ip password

Test the login

Disconnect from the remote server and run this next bit on your management system.

gpasswd -a username libvirt and then run it on you kvm server assuming you're not using the "root" user.

Done, and it works.

@JaredBusch thanks for cutting through the bullshit and helping out here.