[PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[aidan_leuck]

From: aidaleuc <aidan_leuck@selinc.com>

This patch aims to implement guest-ssh-add-authorized-keys, guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys
for Windows. This PR is based on Microsoft's OpenSSH implementation https://github.com/PowerShell/Win32-OpenSSH. The guest agents 
will support Kubevirt and allow guest agent propagation to be used to dynamically inject SSH keys. 
https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent

Changes since v5
* Fixed spurious formatting 

Changes since v4
* Moved qapi/error.h to commands-common-ssh.c
* Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h" 
* Removed stbool.h from commands-common-ssh.h

Changes since v3
* Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
* Fixed styling errors discovered by checkpatch.pl 
* Moved some header includes to the commands-common-ssh.h

Changes since v2
* Set indent to 4 spaces
* Moved all comments to C style comments
* Fixed a segfault bug in get_user_info function related to non zeroed memory when a user did not exist.
* Used g_new0 instead of g_malloc where applicable
* Modified newlines in qapi-schema.json
* Added newlines at the end of all files
* GError functions now use g_autoptr instead of being freed manually.
* Refactored get_ssh_folder to remove goto error statement
* Fixed uninitialized variable pgDataW
* Modified patch order so that the generalization patch is the first patch
* Removed unnecssary ZeroMemory calls

Changes since v1
* Fixed styling errors
* Moved from wcstombs to g_utf functions
* Removed unnecessary if checks on calls to free
* Fixed copyright headers
* Refactored create_acl functions into base function, admin function and user function
* Removed unused user count function
* Split up refactor of existing code into a separate patch

aidaleuc (2):
  Refactor common functions between POSIX and Windows implementation
  Implement SSH commands in QEMU GA for Windows

 qga/commands-common-ssh.c  |  50 +++
 qga/commands-common-ssh.h  |  10 +
 qga/commands-posix-ssh.c   |  47 +--
 qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
 qga/commands-windows-ssh.h |  26 ++
 qga/meson.build            |  12 +-
 qga/qapi-schema.json       |  17 +-
 7 files changed, 893 insertions(+), 58 deletions(-)
 create mode 100644 qga/commands-common-ssh.c
 create mode 100644 qga/commands-common-ssh.h
 create mode 100644 qga/commands-windows-ssh.c
 create mode 100644 qga/commands-windows-ssh.h

-- 
2.34.1

[PATCH v6 1/2] Refactor common functions between POSIX and Windows implementation

[aidan_leuck]

From: aidaleuc <aidan_leuck@selinc.com>

Signed-off-by: aidaleuc <aidan_leuck@selinc.com>
---
 qga/commands-common-ssh.c | 50 +++++++++++++++++++++++++++++++++++++++
 qga/commands-common-ssh.h | 10 ++++++++
 qga/commands-posix-ssh.c  | 47 +-----------------------------------
 qga/meson.build           |  1 +
 4 files changed, 62 insertions(+), 46 deletions(-)
 create mode 100644 qga/commands-common-ssh.c
 create mode 100644 qga/commands-common-ssh.h

diff --git a/qga/commands-common-ssh.c b/qga/commands-common-ssh.c
new file mode 100644
index 0000000000..537869fb98
--- /dev/null
+++ b/qga/commands-common-ssh.c
@@ -0,0 +1,50 @@
+/*
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "qapi/error.h"
+#include "commands-common-ssh.h"
+
+GStrv read_authkeys(const char *path, Error **errp)
+{
+    g_autoptr(GError) err = NULL;
+    g_autofree char *contents = NULL;
+
+    if (!g_file_get_contents(path, &contents, NULL, &err)) {
+        error_setg(errp, "failed to read '%s': %s", path, err->message);
+        return NULL;
+    }
+
+    return g_strsplit(contents, "\n", -1);
+}
+
+bool check_openssh_pub_keys(strList *keys, size_t *nkeys, Error **errp)
+{
+    size_t n = 0;
+    strList *k;
+
+    for (k = keys; k != NULL; k = k->next) {
+        if (!check_openssh_pub_key(k->value, errp)) {
+            return false;
+        }
+        n++;
+    }
+
+    if (nkeys) {
+        *nkeys = n;
+    }
+    return true;
+}
+
+bool check_openssh_pub_key(const char *key, Error **errp)
+{
+    /* simple sanity-check, we may want more? */
+    if (!key || key[0] == '#' || strchr(key, '\n')) {
+        error_setg(errp, "invalid OpenSSH public key: '%s'", key);
+        return false;
+    }
+
+    return true;
+}
diff --git a/qga/commands-common-ssh.h b/qga/commands-common-ssh.h
new file mode 100644
index 0000000000..14d955fa84
--- /dev/null
+++ b/qga/commands-common-ssh.h
@@ -0,0 +1,10 @@
+/*
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qapi/qapi-builtin-types.h"
+
+GStrv read_authkeys(const char *path, Error **errp);
+bool check_openssh_pub_keys(strList *keys, size_t *nkeys, Error **errp);
+bool check_openssh_pub_key(const char *key, Error **errp);
diff --git a/qga/commands-posix-ssh.c b/qga/commands-posix-ssh.c
index 236f80de44..dd2ecb453a 100644
--- a/qga/commands-posix-ssh.c
+++ b/qga/commands-posix-ssh.c
@@ -9,6 +9,7 @@
 #include <locale.h>
 #include <pwd.h>
 
+#include "commands-common-ssh.h"
 #include "qapi/error.h"
 #include "qga-qapi-commands.h"
 
@@ -80,37 +81,6 @@ mkdir_for_user(const char *path, const struct passwd *p,
     return true;
 }
 
-static bool
-check_openssh_pub_key(const char *key, Error **errp)
-{
-    /* simple sanity-check, we may want more? */
-    if (!key || key[0] == '#' || strchr(key, '\n')) {
-        error_setg(errp, "invalid OpenSSH public key: '%s'", key);
-        return false;
-    }
-
-    return true;
-}
-
-static bool
-check_openssh_pub_keys(strList *keys, size_t *nkeys, Error **errp)
-{
-    size_t n = 0;
-    strList *k;
-
-    for (k = keys; k != NULL; k = k->next) {
-        if (!check_openssh_pub_key(k->value, errp)) {
-            return false;
-        }
-        n++;
-    }
-
-    if (nkeys) {
-        *nkeys = n;
-    }
-    return true;
-}
-
 static bool
 write_authkeys(const char *path, const GStrv keys,
                const struct passwd *p, Error **errp)
@@ -139,21 +109,6 @@ write_authkeys(const char *path, const GStrv keys,
     return true;
 }
 
-static GStrv
-read_authkeys(const char *path, Error **errp)
-{
-    g_autoptr(GError) err = NULL;
-    g_autofree char *contents = NULL;
-
-    if (!g_file_get_contents(path, &contents, NULL, &err)) {
-        error_setg(errp, "failed to read '%s': %s", path, err->message);
-        return NULL;
-    }
-
-    return g_strsplit(contents, "\n", -1);
-
-}
-
 void
 qmp_guest_ssh_add_authorized_keys(const char *username, strList *keys,
                                   bool has_reset, bool reset,
diff --git a/qga/meson.build b/qga/meson.build
index 1c3d2a3d1b..4c3899751b 100644
--- a/qga/meson.build
+++ b/qga/meson.build
@@ -66,6 +66,7 @@ qga_ss.add(files(
   'guest-agent-command-state.c',
   'main.c',
   'cutils.c',
+  'commands-common-ssh.c'
 ))
 if host_os == 'windows'
   qga_ss.add(files(
-- 
2.34.1

[PATCH v6 2/2] Implement SSH commands in QEMU GA for Windows

[aidan_leuck]

From: aidaleuc <aidan_leuck@selinc.com>

Signed-off-by: aidaleuc <aidan_leuck@selinc.com>
---
 qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
 qga/commands-windows-ssh.h |  26 ++
 qga/meson.build            |   5 +-
 qga/qapi-schema.json       |  17 +-
 4 files changed, 826 insertions(+), 11 deletions(-)
 create mode 100644 qga/commands-windows-ssh.c
 create mode 100644 qga/commands-windows-ssh.h

diff --git a/qga/commands-windows-ssh.c b/qga/commands-windows-ssh.c
new file mode 100644
index 0000000000..bfd944f0a4
--- /dev/null
+++ b/qga/commands-windows-ssh.c
@@ -0,0 +1,789 @@
+/*
+ * QEMU Guest Agent win32-specific command implementations for SSH keys.
+ * The implementation is opinionated and expects the SSH implementation to
+ * be OpenSSH.
+ *
+ * Copyright Schweitzer Engineering Laboratories. 2024
+ *
+ * Authors:
+ *  Aidan Leuck <aidan_leuck@selinc.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include <aclapi.h>
+#include <qga-qapi-types.h>
+
+#include "commands-common-ssh.h"
+#include "commands-windows-ssh.h"
+#include "guest-agent-core.h"
+#include "limits.h"
+#include "lmaccess.h"
+#include "lmapibuf.h"
+#include "lmerr.h"
+#include "qapi/error.h"
+
+#include "qga-qapi-commands.h"
+#include "sddl.h"
+#include "shlobj.h"
+#include "userenv.h"
+
+#define AUTHORIZED_KEY_FILE "authorized_keys"
+#define AUTHORIZED_KEY_FILE_ADMIN "administrators_authorized_keys"
+#define LOCAL_SYSTEM_SID "S-1-5-18"
+#define ADMIN_SID "S-1-5-32-544"
+#define WORLD_SID "S-1-1-0"
+
+/*
+ * Frees userInfo structure. This implements the g_auto cleanup
+ * for the structure.
+ */
+void free_userInfo(PWindowsUserInfo info)
+{
+    g_free(info->sshDirectory);
+    g_free(info->authorizedKeyFile);
+    LocalFree(info->SSID);
+    g_free(info->username);
+    g_free(info);
+}
+
+/*
+ * Gets the admin SSH folder for OpenSSH. OpenSSH does not store
+ * the authorized_key file in the users home directory for security reasons and
+ * instead stores it at %PROGRAMDATA%/ssh. This function returns the path to
+ * that directory on the users machine
+ *
+ * parameters:
+ * errp -> error structure to set when an error occurs
+ * returns: The path to the ssh folder in %PROGRAMDATA% or NULL if an error
+ * occurred.
+ */
+static char *get_admin_ssh_folder(Error **errp)
+{
+    /* Allocate memory for the program data path */
+    g_autofree char *programDataPath = NULL;
+    char *authkeys_path = NULL;
+    PWSTR pgDataW = NULL;
+    g_autoptr(GError) gerr = NULL;
+
+    /* Get the KnownFolderPath on the machine. */
+    HRESULT folderResult =
+        SHGetKnownFolderPath(&FOLDERID_ProgramData, 0, NULL, &pgDataW);
+    if (folderResult != S_OK) {
+        error_setg(errp, "Failed to retrieve ProgramData folder");
+        return NULL;
+    }
+
+    /* Convert from a wide string back to a standard character string. */
+    programDataPath = g_utf16_to_utf8(pgDataW, -1, NULL, NULL, &gerr);
+    CoTaskMemFree(pgDataW);
+    if (!programDataPath) {
+        error_setg(errp,
+                   "Failed converting ProgramData folder path to UTF-16 %s",
+                   gerr->message);
+        return NULL;
+    }
+
+    /* Build the path to the file. */
+    authkeys_path = g_build_filename(programDataPath, "ssh", NULL);
+    return authkeys_path;
+}
+
+/*
+ * Gets the path to the SSH folder for the specified user. If the user is an
+ * admin it returns the ssh folder located at %PROGRAMDATA%/ssh. If the user is
+ * not an admin it returns %USERPROFILE%/.ssh
+ *
+ * parameters:
+ * username -> Username to get the SSH folder for
+ * isAdmin -> Whether the user is an admin or not
+ * errp -> Error structure to set any errors that occur.
+ * returns: path to the ssh folder as a string.
+ */
+static char *get_ssh_folder(const char *username, const bool isAdmin,
+                            Error **errp)
+{
+    DWORD maxSize = MAX_PATH;
+    g_autofree char *profilesDir = g_new0(char, maxSize);
+
+    if (isAdmin) {
+        return get_admin_ssh_folder(errp);
+    }
+
+    /* If not an Admin the SSH key is in the user directory. */
+    /* Get the user profile directory on the machine. */
+    BOOL ret = GetProfilesDirectory(profilesDir, &maxSize);
+    if (!ret) {
+        error_setg_win32(errp, GetLastError(),
+                         "failed to retrieve profiles directory");
+        return NULL;
+    }
+
+    /* Builds the filename */
+    return g_build_filename(profilesDir, username, ".ssh", NULL);
+}
+
+/*
+ * Creates an entry for the everyone group. This is used when the user is an
+ * Administrator This is consistent with the folder permissions that OpenSSH
+ * creates when it is installed. Anyone can read the file, but only
+ * Administrators and SYSTEM can modify the file.
+ *
+ * parameters:
+ * userInfo -> Information about the current user
+ * pACL -> Pointer to an ACL structure
+ * errp -> Error structure to set any errors that occur
+ * returns: 1 on success, 0 otherwise
+ */
+static bool create_acl_admin(PWindowsUserInfo userInfo, PACL *pACL,
+                             Error **errp)
+{
+    PSID everyonePSID = NULL;
+
+    const int aclSize = 1;
+    EXPLICIT_ACCESS eAccess[1];
+
+    /*
+     * Create an entry for everyone (so they can at least read the folder).
+     * This is consistent with other folders located in %PROGRAMDATA%
+     */
+    bool converted = ConvertStringSidToSid(WORLD_SID, &everyonePSID);
+    if (!converted) {
+        error_setg_win32(errp, GetLastError(), "failed to retrieve Admin SID");
+        goto error;
+    }
+
+    /* Set permissions for everyone group (they can only read the files) */
+    eAccess[0].grfAccessPermissions = GENERIC_READ;
+    eAccess[0].grfAccessMode = SET_ACCESS;
+    eAccess[0].grfInheritance = NO_INHERITANCE;
+    eAccess[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    eAccess[0].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
+    eAccess[0].Trustee.ptstrName = (LPTSTR)everyonePSID;
+
+    /* Put the entries in an ACL object. */
+    PACL pNewACL = NULL;
+    DWORD setResult;
+
+    /*
+     * If we are given a pointer that is already initialized, then we can merge
+     * the existing entries instead of overwriting them.
+     */
+    if (*pACL) {
+        setResult = SetEntriesInAcl(aclSize, eAccess, *pACL, &pNewACL);
+    } else {
+        setResult = SetEntriesInAcl(aclSize, eAccess, NULL, &pNewACL);
+    }
+
+    if (setResult != ERROR_SUCCESS) {
+        error_setg_win32(errp, GetLastError(),
+                         "failed to set ACL entries for admin user %s %lu",
+                         userInfo->username, setResult);
+        goto error;
+    }
+
+    LocalFree(everyonePSID);
+
+    /*
+     * Free the old memory since we are going to overwrite the users
+     * pointer
+     */
+    LocalFree(*pACL);
+    *pACL = pNewACL;
+
+    return true;
+
+error:
+    LocalFree(everyonePSID);
+    return false;
+}
+
+/*
+ * Creates an entry for the user so they can access the ssh folder in their
+ * userprofile.
+ *
+ * parameters:
+ * userInfo -> Information about the current user
+ * pACL -> Pointer to an ACL structure
+ * errp -> Error structure to set any errors that occur
+ * returns -> 1 on success, 0 otherwise
+ */
+static bool create_acl_user(PWindowsUserInfo userInfo, PACL *pACL, Error **errp)
+{
+    const int aclSize = 1;
+    PACL newACL = NULL;
+    EXPLICIT_ACCESS eAccess[1];
+    PSID userPSID = NULL;
+
+    /* Get a pointer to the internal SID object in Windows */
+    bool converted = ConvertStringSidToSid(userInfo->SSID, &userPSID);
+    if (!converted) {
+        error_setg_win32(errp, GetLastError(), "failed to retrieve user %s SID",
+                         userInfo->username);
+        goto error;
+    }
+
+    /* Set the permissions for the user. */
+    eAccess[0].grfAccessPermissions = GENERIC_ALL;
+    eAccess[0].grfAccessMode = SET_ACCESS;
+    eAccess[0].grfInheritance = NO_INHERITANCE;
+    eAccess[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    eAccess[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
+    eAccess[0].Trustee.ptstrName = (LPTSTR)userPSID;
+
+    /* Set the ACL entries */
+    DWORD setResult;
+
+    /*
+     * If we are given a pointer that is already initialized, then we can merge
+     * the existing entries instead of overwriting them.
+     */
+    if (*pACL) {
+        setResult = SetEntriesInAcl(aclSize, eAccess, *pACL, &newACL);
+    } else {
+        setResult = SetEntriesInAcl(aclSize, eAccess, NULL, &newACL);
+    }
+
+    if (setResult != ERROR_SUCCESS) {
+        error_setg_win32(errp, GetLastError(),
+                         "failed to set ACL entries for user %s %lu",
+                         userInfo->username, setResult);
+        goto error;
+    }
+
+    /* Free any old memory since we are going to overwrite the users pointer. */
+    LocalFree(*pACL);
+    *pACL = newACL;
+
+    LocalFree(userPSID);
+    return true;
+error:
+    LocalFree(userPSID);
+    return false;
+}
+
+/*
+ * Creates a base ACL for both normal users and admins to share
+ * pACL -> Pointer to an ACL structure
+ * errp -> Error structure to set any errors that occur
+ * returns: 1 on success, 0 otherwise
+ */
+static bool create_acl_base(PACL *pACL, Error **errp)
+{
+    PSID adminGroupPSID = NULL;
+    PSID systemPSID = NULL;
+
+    const int aclSize = 2;
+    EXPLICIT_ACCESS eAccess[2];
+
+    /* Create an entry for the system user. */
+    const char *systemSID = LOCAL_SYSTEM_SID;
+    bool converted = ConvertStringSidToSid(systemSID, &systemPSID);
+    if (!converted) {
+        error_setg_win32(errp, GetLastError(), "failed to retrieve system SID");
+        goto error;
+    }
+
+    /* set permissions for system user */
+    eAccess[0].grfAccessPermissions = GENERIC_ALL;
+    eAccess[0].grfAccessMode = SET_ACCESS;
+    eAccess[0].grfInheritance = NO_INHERITANCE;
+    eAccess[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    eAccess[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
+    eAccess[0].Trustee.ptstrName = (LPTSTR)systemPSID;
+
+    /* Create an entry for the admin user. */
+    const char *adminSID = ADMIN_SID;
+    converted = ConvertStringSidToSid(adminSID, &adminGroupPSID);
+    if (!converted) {
+        error_setg_win32(errp, GetLastError(), "failed to retrieve Admin SID");
+        goto error;
+    }
+
+    /* Set permissions for admin group. */
+    eAccess[1].grfAccessPermissions = GENERIC_ALL;
+    eAccess[1].grfAccessMode = SET_ACCESS;
+    eAccess[1].grfInheritance = NO_INHERITANCE;
+    eAccess[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+    eAccess[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
+    eAccess[1].Trustee.ptstrName = (LPTSTR)adminGroupPSID;
+
+    /* Put the entries in an ACL object. */
+    PACL pNewACL = NULL;
+    DWORD setResult;
+
+    /*
+     *If we are given a pointer that is already initialized, then we can merge
+     *the existing entries instead of overwriting them.
+     */
+    if (*pACL) {
+        setResult = SetEntriesInAcl(aclSize, eAccess, *pACL, &pNewACL);
+    } else {
+        setResult = SetEntriesInAcl(aclSize, eAccess, NULL, &pNewACL);
+    }
+
+    if (setResult != ERROR_SUCCESS) {
+        error_setg_win32(errp, GetLastError(),
+                         "failed to set base ACL entries for system user and "
+                         "admin group %lu",
+                         setResult);
+        goto error;
+    }
+
+    LocalFree(adminGroupPSID);
+    LocalFree(systemPSID);
+
+    /* Free any old memory since we are going to overwrite the users pointer. */
+    LocalFree(*pACL);
+
+    *pACL = pNewACL;
+
+    return true;
+
+error:
+    LocalFree(adminGroupPSID);
+    LocalFree(systemPSID);
+    return false;
+}
+
+/*
+ * Sets the access control on the authorized_keys file and any ssh folders that
+ * need to be created. For administrators the required permissions on the
+ * file/folders are that only administrators and the LocalSystem account can
+ * access the folders. For normal user accounts only the specified user,
+ * LocalSystem and Administrators can have access to the key.
+ *
+ * parameters:
+ * userInfo -> pointer to structure that contains information about the user
+ * PACL -> pointer to an access control structure that will be set upon
+ * successful completion of the function.
+ * errp -> error structure that will be set upon error.
+ * returns: 1 upon success 0 upon failure.
+ */
+static bool create_acl(PWindowsUserInfo userInfo, PACL *pACL, Error **errp)
+{
+    /*
+     * Creates a base ACL that both admins and users will share
+     * This adds the Administrators group and the SYSTEM group
+     */
+    if (!create_acl_base(pACL, errp)) {
+        return false;
+    }
+
+    /*
+     * If the user is not an admin give the user creating the key permission to
+     * access the file.
+     */
+    if (!userInfo->isAdmin) {
+        if (!create_acl_user(userInfo, pACL, errp)) {
+            return false;
+        }
+
+        return true;
+    }
+
+    /* If the user is an admin allow everyone to read the keys */
+    if (!create_acl_admin(userInfo, pACL, errp)) {
+        return false;
+    }
+
+    return true;
+}
+/*
+ * Create the SSH directory for the user and d sets appropriate permissions.
+ * In general the directory will be %PROGRAMDATA%/ssh if the user is an admin.
+ * %USERPOFILE%/.ssh if not an admin
+ *
+ * parameters:
+ * userInfo -> Contains information about the user
+ * errp -> Structure that will contain errors if the function fails.
+ * returns: zero upon failure, 1 upon success
+ */
+static bool create_ssh_directory(WindowsUserInfo *userInfo, Error **errp)
+{
+    PACL pNewACL = NULL;
+    g_autofree PSECURITY_DESCRIPTOR pSD = NULL;
+
+    /* Gets the appropriate ACL for the user */
+    if (!create_acl(userInfo, &pNewACL, errp)) {
+        goto error;
+    }
+
+    /* Allocate memory for a security descriptor */
+    pSD = g_malloc(SECURITY_DESCRIPTOR_MIN_LENGTH);
+    if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION)) {
+        error_setg_win32(errp, GetLastError(),
+                         "Failed to initialize security descriptor");
+        goto error;
+    }
+
+    /* Associate the security descriptor with the ACL permissions. */
+    if (!SetSecurityDescriptorDacl(pSD, TRUE, pNewACL, FALSE)) {
+        error_setg_win32(errp, GetLastError(),
+                         "Failed to set security descriptor ACL");
+        goto error;
+    }
+
+    /* Set the security attributes on the folder */
+    SECURITY_ATTRIBUTES sAttr;
+    sAttr.bInheritHandle = FALSE;
+    sAttr.nLength = sizeof(SECURITY_ATTRIBUTES);
+    sAttr.lpSecurityDescriptor = pSD;
+
+    /* Create the directory with the created permissions */
+    BOOL created = CreateDirectory(userInfo->sshDirectory, &sAttr);
+    if (!created) {
+        error_setg_win32(errp, GetLastError(), "failed to create directory %s",
+                         userInfo->sshDirectory);
+        goto error;
+    }
+
+    /* Free memory */
+    LocalFree(pNewACL);
+    return true;
+error:
+    LocalFree(pNewACL);
+    return false;
+}
+
+/*
+ * Sets permissions on the authorized_key_file that is created.
+ *
+ * parameters: userInfo -> Information about the user
+ * errp -> error structure that will contain errors upon failure
+ * returns: 1 upon success, zero upon failure.
+ */
+static bool set_file_permissions(PWindowsUserInfo userInfo, Error **errp)
+{
+    PACL pACL = NULL;
+    PSID userPSID;
+
+    /* Creates the access control structure */
+    if (!create_acl(userInfo, &pACL, errp)) {
+        goto error;
+    }
+
+    /* Get the PSID structure for the user based off the string SID. */
+    bool converted = ConvertStringSidToSid(userInfo->SSID, &userPSID);
+    if (!converted) {
+        error_setg_win32(errp, GetLastError(), "failed to retrieve user %s SID",
+                         userInfo->username);
+        goto error;
+    }
+
+    /* Set the ACL on the file. */
+    if (SetNamedSecurityInfo(userInfo->authorizedKeyFile, SE_FILE_OBJECT,
+                             DACL_SECURITY_INFORMATION, userPSID, NULL, pACL,
+                             NULL) != ERROR_SUCCESS) {
+        error_setg_win32(errp, GetLastError(),
+                         "failed to set file security for file %s",
+                         userInfo->authorizedKeyFile);
+        goto error;
+    }
+
+    LocalFree(pACL);
+    LocalFree(userPSID);
+    return true;
+
+error:
+    LocalFree(pACL);
+    LocalFree(userPSID);
+
+    return false;
+}
+
+/*
+ * Writes the specified keys to the authenticated keys file.
+ * parameters:
+ * userInfo: Information about the user we are writing the authkeys file to.
+ * authkeys: Array of keys to write to disk
+ * errp: Error structure that will contain any errors if they occur.
+ * returns: 1 if successful, 0 otherwise.
+ */
+static bool write_authkeys(WindowsUserInfo *userInfo, GStrv authkeys,
+                           Error **errp)
+{
+    g_autofree char *contents = NULL;
+    g_autoptr(GError) err = NULL;
+
+    contents = g_strjoinv("\n", authkeys);
+
+    if (!g_file_set_contents(userInfo->authorizedKeyFile, contents, -1, &err)) {
+        error_setg(errp, "failed to write to '%s': %s",
+                   userInfo->authorizedKeyFile, err->message);
+        return false;
+    }
+
+    if (!set_file_permissions(userInfo, errp)) {
+        return false;
+    }
+
+    return true;
+}
+
+/*
+ * Retrieves information about a Windows user by their username
+ *
+ * parameters:
+ * userInfo -> Double pointer to a WindowsUserInfo structure. Upon success, it
+ * will be allocated with information about the user and need to be freed.
+ * username -> Name of the user to lookup.
+ * errp -> Contains any errors that occur.
+ * returns: 1 upon success, 0 upon failure.
+ */
+static bool get_user_info(PWindowsUserInfo *userInfo, const char *username,
+                          Error **errp)
+{
+    DWORD infoLevel = 4;
+    LPUSER_INFO_4 uBuf = NULL;
+    g_autofree wchar_t *wideUserName = NULL;
+    g_autoptr(GError) gerr = NULL;
+    PSID psid = NULL;
+
+    /*
+     * Converts a string to a Windows wide string since the GetNetUserInfo
+     * function requires it.
+     */
+    wideUserName = g_utf8_to_utf16(username, -1, NULL, NULL, &gerr);
+    if (!wideUserName) {
+        goto error;
+    }
+
+    /* allocate data */
+    PWindowsUserInfo uData = g_new0(WindowsUserInfo, 1);
+
+    /* Set pointer so it can be cleaned up by the callee, even upon error. */
+    *userInfo = uData;
+
+    /* Find the information */
+    NET_API_STATUS result =
+        NetUserGetInfo(NULL, wideUserName, infoLevel, (LPBYTE *)&uBuf);
+    if (result != NERR_Success) {
+        /* Give a friendlier error message if the user was not found. */
+        if (result == NERR_UserNotFound) {
+            error_setg(errp, "User %s was not found", username);
+            goto error;
+        }
+
+        error_setg(errp,
+                   "Received unexpected error when asking for user info: Error "
+                   "Code %lu",
+                   result);
+        goto error;
+    }
+
+    /* Get information from the buffer returned by NetUserGetInfo. */
+    uData->username = g_strdup(username);
+    uData->isAdmin = uBuf->usri4_priv == USER_PRIV_ADMIN;
+    psid = uBuf->usri4_user_sid;
+
+    char *sidStr = NULL;
+
+    /*
+     * We store the string representation of the SID not SID structure in
+     * memory. Callees wanting to use the SID structure should call
+     * ConvertStringSidToSID.
+     */
+    if (!ConvertSidToStringSid(psid, &sidStr)) {
+        error_setg_win32(errp, GetLastError(),
+                         "failed to get SID string for user %s", username);
+        goto error;
+    }
+
+    /* Store the SSID */
+    uData->SSID = sidStr;
+
+    /* Get the SSH folder for the user. */
+    char *sshFolder = get_ssh_folder(username, uData->isAdmin, errp);
+    if (sshFolder == NULL) {
+        goto error;
+    }
+
+    /* Get the authorized key file path */
+    const char *authorizedKeyFile =
+        uData->isAdmin ? AUTHORIZED_KEY_FILE_ADMIN : AUTHORIZED_KEY_FILE;
+    char *authorizedKeyPath =
+        g_build_filename(sshFolder, authorizedKeyFile, NULL);
+    uData->sshDirectory = sshFolder;
+    uData->authorizedKeyFile = authorizedKeyPath;
+
+    /* Free */
+    NetApiBufferFree(uBuf);
+    return true;
+error:
+    if (uBuf) {
+        NetApiBufferFree(uBuf);
+    }
+
+    return false;
+}
+
+/*
+ * Gets the list of authorized keys for a user.
+ *
+ * parameters:
+ * username -> Username to retrieve the keys for.
+ * errp -> Error structure that will display any errors through QMP.
+ * returns: List of keys associated with the user.
+ */
+GuestAuthorizedKeys *qmp_guest_ssh_get_authorized_keys(const char *username,
+                                                       Error **errp)
+{
+    GuestAuthorizedKeys *keys = NULL;
+    g_auto(GStrv) authKeys = NULL;
+    g_autoptr(GuestAuthorizedKeys) ret = NULL;
+    g_auto(PWindowsUserInfo) userInfo = NULL;
+
+    /* Gets user information */
+    if (!get_user_info(&userInfo, username, errp)) {
+        return NULL;
+    }
+
+    /* Reads authkeys for the user */
+    authKeys = read_authkeys(userInfo->authorizedKeyFile, errp);
+    if (authKeys == NULL) {
+        return NULL;
+    }
+
+    /* Set the GuestAuthorizedKey struct with keys from the file */
+    ret = g_new0(GuestAuthorizedKeys, 1);
+    for (int i = 0; authKeys[i] != NULL; i++) {
+        g_strstrip(authKeys[i]);
+        if (!authKeys[i][0] || authKeys[i][0] == '#') {
+            continue;
+        }
+
+        QAPI_LIST_PREPEND(ret->keys, g_strdup(authKeys[i]));
+    }
+
+    /*
+     * Steal the pointer because it is up for the callee to deallocate the
+     * memory.
+     */
+    keys = g_steal_pointer(&ret);
+    return keys;
+}
+
+/*
+ * Adds an ssh key for a user.
+ *
+ * parameters:
+ * username -> User to add the SSH key to
+ * strList -> Array of keys to add to the list
+ * has_reset -> Whether the keys have been reset
+ * reset -> Boolean to reset the keys (If this is set the existing list will be
+ * cleared) and the other key reset. errp -> Pointer to an error structure that
+ * will get returned over QMP if anything goes wrong.
+ */
+void qmp_guest_ssh_add_authorized_keys(const char *username, strList *keys,
+                                       bool has_reset, bool reset, Error **errp)
+{
+    g_auto(PWindowsUserInfo) userInfo = NULL;
+    g_auto(GStrv) authkeys = NULL;
+    strList *k;
+    size_t nkeys, nauthkeys;
+
+    /* Make sure the keys given are valid */
+    if (!check_openssh_pub_keys(keys, &nkeys, errp)) {
+        return;
+    }
+
+    /* Gets user information */
+    if (!get_user_info(&userInfo, username, errp)) {
+        return;
+    }
+
+    /* Determine whether we should reset the keys */
+    reset = has_reset && reset;
+    if (!reset) {
+        /* Read existing keys into memory */
+        authkeys = read_authkeys(userInfo->authorizedKeyFile, NULL);
+    }
+
+    /* Check that the SSH key directory exists for the user. */
+    if (!g_file_test(userInfo->sshDirectory, G_FILE_TEST_IS_DIR)) {
+        BOOL success = create_ssh_directory(userInfo, errp);
+        if (!success) {
+            return;
+        }
+    }
+
+    /* Reallocates the buffer to fit the new keys. */
+    nauthkeys = authkeys ? g_strv_length(authkeys) : 0;
+    authkeys = g_realloc_n(authkeys, nauthkeys + nkeys + 1, sizeof(char *));
+
+    /* zero out the memory for the reallocated buffer */
+    memset(authkeys + nauthkeys, 0, (nkeys + 1) * sizeof(char *));
+
+    /* Adds the keys */
+    for (k = keys; k != NULL; k = k->next) {
+        /* Check that the key doesn't already exist */
+        if (g_strv_contains((const gchar *const *)authkeys, k->value)) {
+            continue;
+        }
+
+        authkeys[nauthkeys++] = g_strdup(k->value);
+    }
+
+    /* Write the authkeys to the file. */
+    write_authkeys(userInfo, authkeys, errp);
+}
+
+/*
+ * Removes an SSH key for a user
+ *
+ * parameters:
+ * username -> Username to remove the key from
+ * strList -> List of strings to remove
+ * errp -> Contains any errors that occur.
+ */
+void qmp_guest_ssh_remove_authorized_keys(const char *username, strList *keys,
+                                          Error **errp)
+{
+    g_auto(PWindowsUserInfo) userInfo = NULL;
+    g_autofree struct passwd *p = NULL;
+    g_autofree GStrv new_keys = NULL; /* do not own the strings */
+    g_auto(GStrv) authkeys = NULL;
+    GStrv a;
+    size_t nkeys = 0;
+
+    /* Validates the keys passed in by the user */
+    if (!check_openssh_pub_keys(keys, NULL, errp)) {
+        return;
+    }
+
+    /* Gets user information */
+    if (!get_user_info(&userInfo, username, errp)) {
+        return;
+    }
+
+    /* Reads the authkeys for the user */
+    authkeys = read_authkeys(userInfo->authorizedKeyFile, errp);
+    if (authkeys == NULL) {
+        return;
+    }
+
+    /* Create a new buffer to hold the keys */
+    new_keys = g_new0(char *, g_strv_length(authkeys) + 1);
+    for (a = authkeys; *a != NULL; a++) {
+        strList *k;
+
+        /* Filters out keys that are equal to ones the user specified. */
+        for (k = keys; k != NULL; k = k->next) {
+            if (g_str_equal(k->value, *a)) {
+                break;
+            }
+        }
+
+        if (k != NULL) {
+            continue;
+        }
+
+        new_keys[nkeys++] = *a;
+    }
+
+    /* Write the new authkeys to the file. */
+    write_authkeys(userInfo, new_keys, errp);
+}
diff --git a/qga/commands-windows-ssh.h b/qga/commands-windows-ssh.h
new file mode 100644
index 0000000000..40ac67c4d9
--- /dev/null
+++ b/qga/commands-windows-ssh.h
@@ -0,0 +1,26 @@
+/*
+ * Header file for commands-windows-ssh.c
+ *
+ * Copyright Schweitzer Engineering Laboratories. 2024
+ *
+ * Authors:
+ *  Aidan Leuck <aidan_leuck@selinc.com>
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include <glib/gstrfuncs.h>
+#include <stdbool.h>
+typedef struct WindowsUserInfo {
+    char *sshDirectory;
+    char *authorizedKeyFile;
+    char *username;
+    char *SSID;
+    bool isAdmin;
+} WindowsUserInfo;
+
+typedef WindowsUserInfo *PWindowsUserInfo;
+
+void free_userInfo(PWindowsUserInfo info);
+G_DEFINE_AUTO_CLEANUP_FREE_FUNC(PWindowsUserInfo, free_userInfo, NULL);
diff --git a/qga/meson.build b/qga/meson.build
index 4c3899751b..d5de492da3 100644
--- a/qga/meson.build
+++ b/qga/meson.build
@@ -73,7 +73,8 @@ if host_os == 'windows'
     'channel-win32.c',
     'commands-win32.c',
     'service-win32.c',
-    'vss-win32.c'
+    'vss-win32.c',
+    'commands-windows-ssh.c'
   ))
 else
   qga_ss.add(files(
@@ -94,7 +95,7 @@ gen_tlb = []
 qga_libs = []
 if host_os == 'windows'
   qga_libs += ['-lws2_32', '-lwinmm', '-lpowrprof', '-lwtsapi32', '-lwininet', '-liphlpapi', '-lnetapi32',
-               '-lsetupapi', '-lcfgmgr32']
+               '-lsetupapi', '-lcfgmgr32', '-luserenv']
   if have_qga_vss
     qga_libs += ['-lole32', '-loleaut32', '-lshlwapi', '-lstdc++', '-Wl,--enable-stdcall-fixup']
     subdir('vss-win32')
diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index 9554b566a7..a64a6d91cf 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -1562,9 +1562,8 @@
 { 'struct': 'GuestAuthorizedKeys',
   'data': {
       'keys': ['str']
-  },
-  'if': 'CONFIG_POSIX' }
-
+  }
+}
 
 ##
 # @guest-ssh-get-authorized-keys:
@@ -1580,8 +1579,8 @@
 ##
 { 'command': 'guest-ssh-get-authorized-keys',
   'data': { 'username': 'str' },
-  'returns': 'GuestAuthorizedKeys',
-  'if': 'CONFIG_POSIX' }
+  'returns': 'GuestAuthorizedKeys'
+}
 
 ##
 # @guest-ssh-add-authorized-keys:
@@ -1599,8 +1598,8 @@
 # Since: 5.2
 ##
 { 'command': 'guest-ssh-add-authorized-keys',
-  'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' },
-  'if': 'CONFIG_POSIX' }
+  'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' }
+}
 
 ##
 # @guest-ssh-remove-authorized-keys:
@@ -1617,8 +1616,8 @@
 # Since: 5.2
 ##
 { 'command': 'guest-ssh-remove-authorized-keys',
-  'data': { 'username': 'str', 'keys': ['str'] },
-  'if': 'CONFIG_POSIX' }
+  'data': { 'username': 'str', 'keys': ['str'] }
+}
 
 ##
 # @GuestDiskStats:
-- 
2.34.1

Re: [PATCH v6 1/2] qga: Refactor common functions between POSIX and Windows implementation

[Philippe Mathieu-Daudé]

On 29/3/24 16:31, aidan_leuck@selinc.com wrote:
> From: aidaleuc <aidan_leuck@selinc.com>
> 

"In preparation of a Windows implementation, move the
  non-POSIX specific code to commands-common-ssh."

> Signed-off-by: aidaleuc <aidan_leuck@selinc.com>

As in v5 
(https://lore.kernel.org/qemu-devel/63600417-9187-4d0b-8bcc-db7e965ff008@linaro.org/):

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>

> ---
>   qga/commands-common-ssh.c | 50 +++++++++++++++++++++++++++++++++++++++
>   qga/commands-common-ssh.h | 10 ++++++++
>   qga/commands-posix-ssh.c  | 47 +-----------------------------------
>   qga/meson.build           |  1 +
>   4 files changed, 62 insertions(+), 46 deletions(-)
>   create mode 100644 qga/commands-common-ssh.c
>   create mode 100644 qga/commands-common-ssh.h

Kostiantyn, if you take this patch, please amend the commit
description and prefix the subject with 'qga: ' :)

Thanks,

Phil.

Re: [PATCH v6 1/2] qga: Refactor common functions between POSIX and Windows implementation

[Konstantin Kostiuk]

[-- Attachment #1: Type: text/plain, Size: 1166 bytes --]

On Tue, Apr 2, 2024 at 12:23 PM Philippe Mathieu-Daudé <philmd@linaro.org>
wrote:

> On 29/3/24 16:31, aidan_leuck@selinc.com wrote:
> > From: aidaleuc <aidan_leuck@selinc.com>
> >
>
> "In preparation of a Windows implementation, move the
>   non-POSIX specific code to commands-common-ssh."
>
> > Signed-off-by: aidaleuc <aidan_leuck@selinc.com>
>
> As in v5
> (
> https://lore.kernel.org/qemu-devel/63600417-9187-4d0b-8bcc-db7e965ff008@linaro.org/
> ):
>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
>
> > ---
> >   qga/commands-common-ssh.c | 50 +++++++++++++++++++++++++++++++++++++++
> >   qga/commands-common-ssh.h | 10 ++++++++
> >   qga/commands-posix-ssh.c  | 47 +-----------------------------------
> >   qga/meson.build           |  1 +
> >   4 files changed, 62 insertions(+), 46 deletions(-)
> >   create mode 100644 qga/commands-common-ssh.c
> >   create mode 100644 qga/commands-common-ssh.h
>
> Kostiantyn, if you take this patch, please amend the commit
> description and prefix the subject with 'qga: ' :)
>

I will do this.

Best Regards,
Konstantin Kostiuk.



> Thanks,
>
> Phil.
>
>

[-- Attachment #2: Type: text/html, Size: 2256 bytes --]

RE: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Aidan Leuck]

Hello Konstantin, 

Is there anything you would like to see addresses in this patch before it merges? This patch has been up for a bit and there hasn't been any activity in a while. Our team is motivated to get this merged, so let me know if there is anything I can do on my end to make the review easier for you. I understand as a maintainer your position is voluntary and unpaid so if you just haven't had time to look it over and validate it, I completely understand. 

Thank you,
Aidan Leuck

-----Original Message-----
From: aidan_leuck@selinc.com <aidan_leuck@selinc.com> 
Sent: Friday, March 29, 2024 9:32 AM
To: qemu-devel@nongnu.org
Cc: kkostiuk@redhat.com; philmd@linaro.org; Aidan Leuck <aidan_leuck@selinc.com>
Subject: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

From: aidaleuc <aidan_leuck@selinc.com>

This patch aims to implement guest-ssh-add-authorized-keys, guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys for Windows. This PR is based on Microsoft's OpenSSH implementation https://github.com/PowerShell/Win32-OpenSSH. The guest agents will support Kubevirt and allow guest agent propagation to be used to dynamically inject SSH keys. 
https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent

Changes since v5
* Fixed spurious formatting 

Changes since v4
* Moved qapi/error.h to commands-common-ssh.c
* Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h" 
* Removed stbool.h from commands-common-ssh.h

Changes since v3
* Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
* Fixed styling errors discovered by checkpatch.pl
* Moved some header includes to the commands-common-ssh.h

Changes since v2
* Set indent to 4 spaces
* Moved all comments to C style comments
* Fixed a segfault bug in get_user_info function related to non zeroed memory when a user did not exist.
* Used g_new0 instead of g_malloc where applicable
* Modified newlines in qapi-schema.json
* Added newlines at the end of all files
* GError functions now use g_autoptr instead of being freed manually.
* Refactored get_ssh_folder to remove goto error statement
* Fixed uninitialized variable pgDataW
* Modified patch order so that the generalization patch is the first patch
* Removed unnecssary ZeroMemory calls

Changes since v1
* Fixed styling errors
* Moved from wcstombs to g_utf functions
* Removed unnecessary if checks on calls to free
* Fixed copyright headers
* Refactored create_acl functions into base function, admin function and user function
* Removed unused user count function
* Split up refactor of existing code into a separate patch

aidaleuc (2):
  Refactor common functions between POSIX and Windows implementation
  Implement SSH commands in QEMU GA for Windows

 qga/commands-common-ssh.c  |  50 +++
 qga/commands-common-ssh.h  |  10 +
 qga/commands-posix-ssh.c   |  47 +--
 qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
 qga/commands-windows-ssh.h |  26 ++
 qga/meson.build            |  12 +-
 qga/qapi-schema.json       |  17 +-
 7 files changed, 893 insertions(+), 58 deletions(-)  create mode 100644 qga/commands-common-ssh.c  create mode 100644 qga/commands-common-ssh.h  create mode 100644 qga/commands-windows-ssh.c  create mode 100644 qga/commands-windows-ssh.h

--
2.34.1

Re: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Konstantin Kostiuk]

[-- Attachment #1: Type: text/plain, Size: 3963 bytes --]

 Hi Aidan,

Thank you for these patches. Currently, I don't have any comments.
I asked QE from my team to test this patch and wait for feedback.
Also, QEMU is in the code freeze stage now, so I plan to merge all QGA
patches after release.

Best Regards,
Konstantin Kostiuk.


On Tue, Apr 16, 2024 at 5:46 PM Aidan Leuck <aidan_leuck@selinc.com> wrote:

> Hello Konstantin,
>
> Is there anything you would like to see addresses in this patch before it
> merges? This patch has been up for a bit and there hasn't been any activity
> in a while. Our team is motivated to get this merged, so let me know if
> there is anything I can do on my end to make the review easier for you. I
> understand as a maintainer your position is voluntary and unpaid so if you
> just haven't had time to look it over and validate it, I completely
> understand.
>
> Thank you,
> Aidan Leuck
>
> -----Original Message-----
> From: aidan_leuck@selinc.com <aidan_leuck@selinc.com>
> Sent: Friday, March 29, 2024 9:32 AM
> To: qemu-devel@nongnu.org
> Cc: kkostiuk@redhat.com; philmd@linaro.org; Aidan Leuck <
> aidan_leuck@selinc.com>
> Subject: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows
>
> From: aidaleuc <aidan_leuck@selinc.com>
>
> This patch aims to implement guest-ssh-add-authorized-keys,
> guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys for
> Windows. This PR is based on Microsoft's OpenSSH implementation
> https://github.com/PowerShell/Win32-OpenSSH. The guest agents will
> support Kubevirt and allow guest agent propagation to be used to
> dynamically inject SSH keys.
>
> https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent
>
> Changes since v5
> * Fixed spurious formatting
>
> Changes since v4
> * Moved qapi/error.h to commands-common-ssh.c
> * Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h"
> * Removed stbool.h from commands-common-ssh.h
>
> Changes since v3
> * Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
> * Fixed styling errors discovered by checkpatch.pl
> * Moved some header includes to the commands-common-ssh.h
>
> Changes since v2
> * Set indent to 4 spaces
> * Moved all comments to C style comments
> * Fixed a segfault bug in get_user_info function related to non zeroed
> memory when a user did not exist.
> * Used g_new0 instead of g_malloc where applicable
> * Modified newlines in qapi-schema.json
> * Added newlines at the end of all files
> * GError functions now use g_autoptr instead of being freed manually.
> * Refactored get_ssh_folder to remove goto error statement
> * Fixed uninitialized variable pgDataW
> * Modified patch order so that the generalization patch is the first patch
> * Removed unnecssary ZeroMemory calls
>
> Changes since v1
> * Fixed styling errors
> * Moved from wcstombs to g_utf functions
> * Removed unnecessary if checks on calls to free
> * Fixed copyright headers
> * Refactored create_acl functions into base function, admin function and
> user function
> * Removed unused user count function
> * Split up refactor of existing code into a separate patch
>
> aidaleuc (2):
>   Refactor common functions between POSIX and Windows implementation
>   Implement SSH commands in QEMU GA for Windows
>
>  qga/commands-common-ssh.c  |  50 +++
>  qga/commands-common-ssh.h  |  10 +
>  qga/commands-posix-ssh.c   |  47 +--
>  qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
>  qga/commands-windows-ssh.h |  26 ++
>  qga/meson.build            |  12 +-
>  qga/qapi-schema.json       |  17 +-
>  7 files changed, 893 insertions(+), 58 deletions(-)  create mode 100644
> qga/commands-common-ssh.c  create mode 100644 qga/commands-common-ssh.h
> create mode 100644 qga/commands-windows-ssh.c  create mode 100644
> qga/commands-windows-ssh.h
>
> --
> 2.34.1
>
>

[-- Attachment #2: Type: text/html, Size: 5428 bytes --]

RE: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Aidan Leuck]

[-- Attachment #1: Type: text/plain, Size: 5149 bytes --]

Hi Konstantin,

Thank you for the quick response. I didn’t realize the QEMU was in a code freeze, thank you for letting me know. Let me know if you find any defects in the patch and I will fix them promptly.

Aidan Leuck

From: Konstantin Kostiuk <kkostiuk@redhat.com>
Sent: Wednesday, April 17, 2024 10:33 AM
To: Aidan Leuck <aidan_leuck@selinc.com>
Cc: qemu-devel@nongnu.org; philmd@linaro.org
Subject: Re: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Caution - External]
 Hi Aidan,

Thank you for these patches. Currently, I don't have any comments.
I asked QE from my team to test this patch and wait for feedback.
Also, QEMU is in the code freeze stage now, so I plan to merge all QGA
patches after release.

Best Regards,
Konstantin Kostiuk.


On Tue, Apr 16, 2024 at 5:46 PM Aidan Leuck <aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com>> wrote:
Hello Konstantin,

Is there anything you would like to see addresses in this patch before it merges? This patch has been up for a bit and there hasn't been any activity in a while. Our team is motivated to get this merged, so let me know if there is anything I can do on my end to make the review easier for you. I understand as a maintainer your position is voluntary and unpaid so if you just haven't had time to look it over and validate it, I completely understand.

Thank you,
Aidan Leuck

-----Original Message-----
From: aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com> <aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com>>
Sent: Friday, March 29, 2024 9:32 AM
To: qemu-devel@nongnu.org<mailto:qemu-devel@nongnu.org>
Cc: kkostiuk@redhat.com<mailto:kkostiuk@redhat.com>; philmd@linaro.org<mailto:philmd@linaro.org>; Aidan Leuck <aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com>>
Subject: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

From: aidaleuc <aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com>>

This patch aims to implement guest-ssh-add-authorized-keys, guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys for Windows. This PR is based on Microsoft's OpenSSH implementation https://github.com/PowerShell/Win32-OpenSSH [github.com]<https://urldefense.com/v3/__https:/github.com/PowerShell/Win32-OpenSSH__;!!O7uE89YCNVw!OtAz8IOcaKX6FC4kqD0qGgiKokfHlyEGjGWl5enCkQcfU4aDtP4YC4sFPy3W0hTOvg1t7eOVMcJtx7GLhZk$>. The guest agents will support Kubevirt and allow guest agent propagation to be used to dynamically inject SSH keys.
https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent [kubevirt.io]<https://urldefense.com/v3/__https:/kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/*dynamic-ssh-public-key-injection-via-qemu-guest-agent__;Iw!!O7uE89YCNVw!OtAz8IOcaKX6FC4kqD0qGgiKokfHlyEGjGWl5enCkQcfU4aDtP4YC4sFPy3W0hTOvg1t7eOVMcJtGQmdmLI$>

Changes since v5
* Fixed spurious formatting

Changes since v4
* Moved qapi/error.h to commands-common-ssh.c
* Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h"
* Removed stbool.h from commands-common-ssh.h

Changes since v3
* Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
* Fixed styling errors discovered by checkpatch.pl [checkpatch.pl]<https://urldefense.com/v3/__http:/checkpatch.pl__;!!O7uE89YCNVw!OtAz8IOcaKX6FC4kqD0qGgiKokfHlyEGjGWl5enCkQcfU4aDtP4YC4sFPy3W0hTOvg1t7eOVMcJtHKff5AQ$>
* Moved some header includes to the commands-common-ssh.h

Changes since v2
* Set indent to 4 spaces
* Moved all comments to C style comments
* Fixed a segfault bug in get_user_info function related to non zeroed memory when a user did not exist.
* Used g_new0 instead of g_malloc where applicable
* Modified newlines in qapi-schema.json
* Added newlines at the end of all files
* GError functions now use g_autoptr instead of being freed manually.
* Refactored get_ssh_folder to remove goto error statement
* Fixed uninitialized variable pgDataW
* Modified patch order so that the generalization patch is the first patch
* Removed unnecssary ZeroMemory calls

Changes since v1
* Fixed styling errors
* Moved from wcstombs to g_utf functions
* Removed unnecessary if checks on calls to free
* Fixed copyright headers
* Refactored create_acl functions into base function, admin function and user function
* Removed unused user count function
* Split up refactor of existing code into a separate patch

aidaleuc (2):
  Refactor common functions between POSIX and Windows implementation
  Implement SSH commands in QEMU GA for Windows

 qga/commands-common-ssh.c  |  50 +++
 qga/commands-common-ssh.h  |  10 +
 qga/commands-posix-ssh.c   |  47 +--
 qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
 qga/commands-windows-ssh.h |  26 ++
 qga/meson.build            |  12 +-
 qga/qapi-schema.json       |  17 +-
 7 files changed, 893 insertions(+), 58 deletions(-)  create mode 100644 qga/commands-common-ssh.c  create mode 100644 qga/commands-common-ssh.h  create mode 100644 qga/commands-windows-ssh.c  create mode 100644 qga/commands-windows-ssh.h

--
2.34.1

[-- Attachment #2: Type: text/html, Size: 10130 bytes --]

Re: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Konstantin Kostiuk]

[-- Attachment #1.1: Type: text/plain, Size: 4836 bytes --]

Hi Aidan,

I tried these patches with OpenSSH Server installed from Windows Features
and public key
authorization does not work. Guest OS Windows Server 2022. Do you expect to
use OpenSSH
from Windows Features or not?
As OpenSSH Server is a build feature for Server 2022 and new versions of
Windows 10/11, I expect
that patch should work with it too.

Also from MSDN
https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui
```
If you downloaded the OpenSSH beta from the GitHub repo at
PowerShell/Win32-OpenSSH <https://github.com/PowerShell/Win32-OpenSSH>,
follow the instructions listed there, not the ones in this article
```
So, why we should look at beta version behavior while MS provides a stable
one from Features?



I debug the problem and the reason for ignoring SSH keys is the permissions
of administrators_authorized_keys.
SSH server does not allow S-1-5-11 and S-1-1-0 permission.

4384 2024-04-22 01:19:57.763 debug1: trying public key file
__PROGRAMDATA__/ssh/administrators_authorized_keys
4384 2024-04-22 01:19:57.763 debug3: Bad permissions. Try removing
permissions for user: \\Everyone (S-1-1-0) on file
C:/ProgramData/ssh/administrators_authorized_keys.
4384 2024-04-22 01:19:57.763 Authentication refused.

6824 2024-04-22 01:21:13.966 debug1: trying public key file
__PROGRAMDATA__/ssh/administrators_authorized_keys
6824 2024-04-22 01:21:13.966 debug3: Bad permissions. Try removing
permissions for user: NT AUTHORITY\\Authenticated Users (S-1-5-11) on file
C:/ProgramData/ssh/administrators_authorized_keys.
6824 2024-04-22 01:21:13.966 Authentication refused.

I attached 2 screenshots of permissions. The first one with permission that
file has after
guest-ssh-add-authorized-keys command and the second one with proper
permissions
to make the SSH server happy.



[image: Screenshot_20240422_112242.png]
[image: Screenshot_20240422_112352.png]


Best Regards,
Konstantin Kostiuk.


On Fri, Mar 29, 2024 at 5:32 PM <aidan_leuck@selinc.com> wrote:

> From: aidaleuc <aidan_leuck@selinc.com>
>
> This patch aims to implement guest-ssh-add-authorized-keys,
> guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys
> for Windows. This PR is based on Microsoft's OpenSSH implementation
> https://github.com/PowerShell/Win32-OpenSSH. The guest agents
> will support Kubevirt and allow guest agent propagation to be used to
> dynamically inject SSH keys.
>
> https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent
>
> Changes since v5
> * Fixed spurious formatting
>
> Changes since v4
> * Moved qapi/error.h to commands-common-ssh.c
> * Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h"
> * Removed stbool.h from commands-common-ssh.h
>
> Changes since v3
> * Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
> * Fixed styling errors discovered by checkpatch.pl
> * Moved some header includes to the commands-common-ssh.h
>
> Changes since v2
> * Set indent to 4 spaces
> * Moved all comments to C style comments
> * Fixed a segfault bug in get_user_info function related to non zeroed
> memory when a user did not exist.
> * Used g_new0 instead of g_malloc where applicable
> * Modified newlines in qapi-schema.json
> * Added newlines at the end of all files
> * GError functions now use g_autoptr instead of being freed manually.
> * Refactored get_ssh_folder to remove goto error statement
> * Fixed uninitialized variable pgDataW
> * Modified patch order so that the generalization patch is the first patch
> * Removed unnecssary ZeroMemory calls
>
> Changes since v1
> * Fixed styling errors
> * Moved from wcstombs to g_utf functions
> * Removed unnecessary if checks on calls to free
> * Fixed copyright headers
> * Refactored create_acl functions into base function, admin function and
> user function
> * Removed unused user count function
> * Split up refactor of existing code into a separate patch
>
> aidaleuc (2):
>   Refactor common functions between POSIX and Windows implementation
>   Implement SSH commands in QEMU GA for Windows
>
>  qga/commands-common-ssh.c  |  50 +++
>  qga/commands-common-ssh.h  |  10 +
>  qga/commands-posix-ssh.c   |  47 +--
>  qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
>  qga/commands-windows-ssh.h |  26 ++
>  qga/meson.build            |  12 +-
>  qga/qapi-schema.json       |  17 +-
>  7 files changed, 893 insertions(+), 58 deletions(-)
>  create mode 100644 qga/commands-common-ssh.c
>  create mode 100644 qga/commands-common-ssh.h
>  create mode 100644 qga/commands-windows-ssh.c
>  create mode 100644 qga/commands-windows-ssh.h
>
> --
> 2.34.1
>
>

[-- Attachment #1.2: Type: text/html, Size: 6363 bytes --]

[-- Attachment #2: Screenshot_20240422_112242.png --]
[-- Type: image/png, Size: 34460 bytes --]

[-- Attachment #3: Screenshot_20240422_112352.png --]
[-- Type: image/png, Size: 23860 bytes --]

RE: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Aidan Leuck]

[-- Attachment #1.1: Type: text/plain, Size: 6833 bytes --]

Hi Konstantin,

Thank you for taking the time to look over the patch and test it. I do expect this to work when installing OpenSSH by Windows features. I have been testing my implementation on Windows 11 which uses a newer version of OpenSSH server than the one shipped with Windows Server 2022. I was able to get a hold of a Windows Server VM and I was able to reproduce what you are describing. I will have a patch coming out shortly with a fix for the issue. I tested the new patch on both Windows Server 2022 (installed from Windows Features) Windows 11 (Installed From Windows Features) and the latest beta release from OpenSSH on Github. Everything appears to be working now. Let me know if you are still running into issues.

Aidan Leuck


From: Konstantin Kostiuk <kkostiuk@redhat.com>
Sent: Monday, April 22, 2024 2:51 AM
To: Aidan Leuck <aidan_leuck@selinc.com>
Cc: qemu-devel@nongnu.org; philmd@linaro.org; Dehan Meng <demeng@redhat.com>
Subject: Re: [PATCH v6 0/2] Implement SSH commands in QEMU GA for Windows

[Caution - External]
Hi Aidan,

I tried these patches with OpenSSH Server installed from Windows Features and public key
authorization does not work. Guest OS Windows Server 2022. Do you expect to use OpenSSH
from Windows Features or not?
As OpenSSH Server is a build feature for Server 2022 and new versions of Windows 10/11, I expect
that patch should work with it too.

Also from MSDN https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui [learn.microsoft.com]<https://urldefense.com/v3/__https:/learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui__;!!O7uE89YCNVw!KEDGHaIhqoR0KQbOYpSXein-to0o-nbBldvZweoN_XxpVxYZEZ7jTHGr5w1X0G4gMbfdKm_P2Bsz5PCpcf4$>
```
If you downloaded the OpenSSH beta from the GitHub repo at PowerShell/Win32-OpenSSH [github.com]<https://urldefense.com/v3/__https:/github.com/PowerShell/Win32-OpenSSH__;!!O7uE89YCNVw!KEDGHaIhqoR0KQbOYpSXein-to0o-nbBldvZweoN_XxpVxYZEZ7jTHGr5w1X0G4gMbfdKm_P2BszTIKz9J4$>, follow the instructions listed there, not the ones in this article
```
So, why we should look at beta version behavior while MS provides a stable one from Features?


I debug the problem and the reason for ignoring SSH keys is the permissions of administrators_authorized_keys.
SSH server does not allow S-1-5-11 and S-1-1-0 permission.

4384 2024-04-22 01:19:57.763 debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
4384 2024-04-22 01:19:57.763 debug3: Bad permissions. Try removing permissions for user: \\Everyone<file://Everyone> (S-1-1-0) on file C:/ProgramData/ssh/administrators_authorized_keys.
4384 2024-04-22 01:19:57.763 Authentication refused.

6824 2024-04-22 01:21:13.966 debug1: trying public key file __PROGRAMDATA__/ssh/administrators_authorized_keys
6824 2024-04-22 01:21:13.966 debug3: Bad permissions. Try removing permissions for user: NT AUTHORITY\\Authenticated Users (S-1-5-11) on file C:/ProgramData/ssh/administrators_authorized_keys.
6824 2024-04-22 01:21:13.966 Authentication refused.

I attached 2 screenshots of permissions. The first one with permission that file has after
guest-ssh-add-authorized-keys command and the second one with proper permissions
to make the SSH server happy.



[cid:image001.png@01DA94AF.6FB8CA60]
[cid:image002.png@01DA94AF.6FB8CA60]

Best Regards,
Konstantin Kostiuk.


On Fri, Mar 29, 2024 at 5:32 PM <aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com>> wrote:
From: aidaleuc <aidan_leuck@selinc.com<mailto:aidan_leuck@selinc.com>>

This patch aims to implement guest-ssh-add-authorized-keys, guest-ssh-remove-authorized-keys, and guest-ssh-get-authorized-keys
for Windows. This PR is based on Microsoft's OpenSSH implementation https://github.com/PowerShell/Win32-OpenSSH [github.com]<https://urldefense.com/v3/__https:/github.com/PowerShell/Win32-OpenSSH__;!!O7uE89YCNVw!KEDGHaIhqoR0KQbOYpSXein-to0o-nbBldvZweoN_XxpVxYZEZ7jTHGr5w1X0G4gMbfdKm_P2BszTIKz9J4$>. The guest agents
will support Kubevirt and allow guest agent propagation to be used to dynamically inject SSH keys.
https://kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/#dynamic-ssh-public-key-injection-via-qemu-guest-agent [kubevirt.io]<https://urldefense.com/v3/__https:/kubevirt.io/user-guide/virtual_machines/accessing_virtual_machines/*dynamic-ssh-public-key-injection-via-qemu-guest-agent__;Iw!!O7uE89YCNVw!KEDGHaIhqoR0KQbOYpSXein-to0o-nbBldvZweoN_XxpVxYZEZ7jTHGr5w1X0G4gMbfdKm_P2Bszxa0EIWg$>

Changes since v5
* Fixed spurious formatting

Changes since v4
* Moved qapi/error.h to commands-common-ssh.c
* Changed <qga-qapi-types.h> to "qapi/qapi-builtin-types.h"
* Removed stbool.h from commands-common-ssh.h

Changes since v3
* Renamed commands-ssh-core.c/h to commands-common-ssh.c/h
* Fixed styling errors discovered by checkpatch.pl [checkpatch.pl]<https://urldefense.com/v3/__http:/checkpatch.pl__;!!O7uE89YCNVw!KEDGHaIhqoR0KQbOYpSXein-to0o-nbBldvZweoN_XxpVxYZEZ7jTHGr5w1X0G4gMbfdKm_P2Bszbg-oJII$>
* Moved some header includes to the commands-common-ssh.h

Changes since v2
* Set indent to 4 spaces
* Moved all comments to C style comments
* Fixed a segfault bug in get_user_info function related to non zeroed memory when a user did not exist.
* Used g_new0 instead of g_malloc where applicable
* Modified newlines in qapi-schema.json
* Added newlines at the end of all files
* GError functions now use g_autoptr instead of being freed manually.
* Refactored get_ssh_folder to remove goto error statement
* Fixed uninitialized variable pgDataW
* Modified patch order so that the generalization patch is the first patch
* Removed unnecssary ZeroMemory calls

Changes since v1
* Fixed styling errors
* Moved from wcstombs to g_utf functions
* Removed unnecessary if checks on calls to free
* Fixed copyright headers
* Refactored create_acl functions into base function, admin function and user function
* Removed unused user count function
* Split up refactor of existing code into a separate patch

aidaleuc (2):
  Refactor common functions between POSIX and Windows implementation
  Implement SSH commands in QEMU GA for Windows

 qga/commands-common-ssh.c  |  50 +++
 qga/commands-common-ssh.h  |  10 +
 qga/commands-posix-ssh.c   |  47 +--
 qga/commands-windows-ssh.c | 789 +++++++++++++++++++++++++++++++++++++
 qga/commands-windows-ssh.h |  26 ++
 qga/meson.build            |  12 +-
 qga/qapi-schema.json       |  17 +-
 7 files changed, 893 insertions(+), 58 deletions(-)
 create mode 100644 qga/commands-common-ssh.c
 create mode 100644 qga/commands-common-ssh.h
 create mode 100644 qga/commands-windows-ssh.c
 create mode 100644 qga/commands-windows-ssh.h

--
2.34.1

[-- Attachment #1.2: Type: text/html, Size: 12449 bytes --]

[-- Attachment #2: image001.png --]
[-- Type: image/png, Size: 34460 bytes --]

[-- Attachment #3: image002.png --]
[-- Type: image/png, Size: 23860 bytes --]