Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1510536

Summary: [RFE] obfuscate password for ssh key in virt-who config file used to connect to hypervisor
Product: Red Hat Enterprise Linux 7 Reporter: Andrea Perotti <aperotti>
Component: virt-whoAssignee: candlepin-bugs
Status: NEW --- QA Contact: Eko <hsun>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: aperotti, candlepin-bugs, cdonnell, dconsoli
Target Milestone: pre-dev-freezeKeywords: FutureFeature
Target Release: ---Flags: aperotti: needinfo? (candlepin-bugs)
dconsoli: needinfo? (candlepin-bugs)
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Andrea Perotti 2017-11-07 15:57:01 UTC
Description of problem:

2. What is the nature and description of the request?
Customer would like to use an ssh key protected with passphrase in virt-who, and having that password obfuscated in the virt-who configuration file.

3. Why does the customer need this? (List the business requirements here)
Compliance requires that each used ssh keys mush be protected with password 

4. How would the customer like to achieve this? (List the functional requirements here)
With the addition of a new option in virt-who config file

5. For each functional requirement listed in question 4, specify how Red Hat and Customer can test to confirm the requirement is successfully implemented.

You should be able to use virt-who config with an encrypted ssh key, with obfuscated password 

6. Is there already an existing RFE upstream or in Red Hat bugzilla?

7. How quickly does this need resolved? (desired target release)
As soon as possible, it should be made available both on RHEL6 and RHEL7

8. Does this request meet the RHEL Inclusion criteria (please review)
9. List the affected packages

Version-Release number of selected component (if applicable):


Comment 2 Craig Donnelly 2017-11-07 18:26:49 UTC

I wanted to clarify what it is exactly you were looking for in this request.

My interpretation of what you have laid out is as follows:

You have a system that is using libvirt which virt-who would be connecting to via SSH w/username + password - and you want the password to not be plain text.

If that is correct, is the requirement not met by utilizing 'virt-who-password' which ships with virt-who to encrypt the password by way of hashing?

Please provide a little more detail in explicitly what it is your aiming for if the above is not a resolution.


Comment 3 Andrea Perotti 2017-11-07 20:48:40 UTC
   the request is for a more complex use case.

Scenario here is that you do connect to libvirt via ssh, but you do use: 

ssh-key (

and that ssh-key is password protected.

Using virt-who-password is fine to scramble, is just needed to have a way to express which is the passphrase of the ssh-key in a non plain-text way.

If you have further doubt on the request, please just let me know.

Comment 4 Craig Donnelly 2017-11-07 22:17:50 UTC
So what I understand based off of that is that you want 'virt-who' daemon to be able to use an ssh-key to login to libvirt and pass an encrypted password to unlock the ssh-key.

In this case, I would call this an RFE for virt-who, which would need to be placed under RHEL for that team.

I will shift this to the correct place.