block: Add support for Secure Shell (ssh) block device.

  qemu-system-x86_64 -drive file=ssh://hostname/some/image

QEMU will ssh into 'hostname' and open '/some/image' which is made
available as a standard block device.

You can specify a username (ssh://user@host/...) and/or a port number
(ssh://host:port/...).  You can also use an alternate syntax using
properties (file.user, file.host, file.port, file.path).

Current limitations:

- Authentication must be done without passwords or passphrases, using
  ssh-agent.  Other authentication methods are not supported.

- Uses a single connection, instead of concurrent AIO with multiple
  SSH connections.

This is implemented using libssh2 on the client side.  The server just
requires a regular ssh daemon with sftp-server support.  Most ssh
daemons on Unix/Linux systems will work out of the box.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Cc: Stefan Hajnoczi <stefanha@gmail.com>
Cc: Kevin Wolf <kwolf@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
diff --git a/block/Makefile.objs b/block/Makefile.objs
index c067f38..6c4b5bc 100644
--- a/block/Makefile.objs
+++ b/block/Makefile.objs
@@ -13,6 +13,7 @@
 block-obj-$(CONFIG_CURL) += curl.o
 block-obj-$(CONFIG_RBD) += rbd.o
 block-obj-$(CONFIG_GLUSTERFS) += gluster.o
+block-obj-$(CONFIG_LIBSSH2) += ssh.o
 endif
 
 common-obj-y += stream.o
diff --git a/block/ssh.c b/block/ssh.c
new file mode 100644
index 0000000..89a9017
--- /dev/null
+++ b/block/ssh.c
@@ -0,0 +1,995 @@
+/*
+ * Secure Shell (ssh) backend for QEMU.
+ *
+ * Copyright (C) 2013 Red Hat Inc., Richard W.M. Jones <rjones@redhat.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <libssh2.h>
+#include <libssh2_sftp.h>
+
+#include "block/block_int.h"
+#include "qemu/sockets.h"
+#include "qemu/uri.h"
+#include "qapi/qmp/qint.h"
+
+/* DEBUG_SSH=1 enables the DPRINTF (debugging printf) statements in
+ * this block driver code.
+ *
+ * TRACE_LIBSSH2=<bitmask> enables tracing in libssh2 itself.  Note
+ * that this requires that libssh2 was specially compiled with the
+ * `./configure --enable-debug' option, so most likely you will have
+ * to compile it yourself.  The meaning of <bitmask> is described
+ * here: http://www.libssh2.org/libssh2_trace.html
+ */
+#define DEBUG_SSH     0
+#define TRACE_LIBSSH2 0 /* or try: LIBSSH2_TRACE_SFTP */
+
+#define DPRINTF(fmt, ...)                           \
+    do {                                            \
+        if (DEBUG_SSH) {                            \
+            fprintf(stderr, "ssh: %-15s " fmt "\n", \
+                    __func__, ##__VA_ARGS__);       \
+        }                                           \
+    } while (0)
+
+typedef struct BDRVSSHState {
+    /* Coroutine. */
+    CoMutex lock;
+
+    /* SSH connection. */
+    int sock;                         /* socket */
+    LIBSSH2_SESSION *session;         /* ssh session */
+    LIBSSH2_SFTP *sftp;               /* sftp session */
+    LIBSSH2_SFTP_HANDLE *sftp_handle; /* sftp remote file handle */
+
+    /* See ssh_seek() function below. */
+    int64_t offset;
+    bool offset_op_read;
+
+    /* File attributes at open.  We try to keep the .filesize field
+     * updated if it changes (eg by writing at the end of the file).
+     */
+    LIBSSH2_SFTP_ATTRIBUTES attrs;
+} BDRVSSHState;
+
+static void ssh_state_init(BDRVSSHState *s)
+{
+    memset(s, 0, sizeof *s);
+    s->sock = -1;
+    s->offset = -1;
+    qemu_co_mutex_init(&s->lock);
+}
+
+static void ssh_state_free(BDRVSSHState *s)
+{
+    if (s->sftp_handle) {
+        libssh2_sftp_close(s->sftp_handle);
+    }
+    if (s->sftp) {
+        libssh2_sftp_shutdown(s->sftp);
+    }
+    if (s->session) {
+        libssh2_session_disconnect(s->session,
+                                   "from qemu ssh client: "
+                                   "user closed the connection");
+        libssh2_session_free(s->session);
+    }
+    if (s->sock >= 0) {
+        close(s->sock);
+    }
+}
+
+/* Wrappers around error_report which make sure to dump as much
+ * information from libssh2 as possible.
+ */
+static void
+session_error_report(BDRVSSHState *s, const char *fs, ...)
+{
+    va_list args;
+
+    va_start(args, fs);
+    error_vprintf(fs, args);
+
+    if ((s)->session) {
+        char *ssh_err;
+        int ssh_err_code;
+
+        libssh2_session_last_error((s)->session, &ssh_err, NULL, 0);
+        /* This is not an errno.  See <libssh2.h>. */
+        ssh_err_code = libssh2_session_last_errno((s)->session);
+
+        error_printf(": %s (libssh2 error code: %d)", ssh_err, ssh_err_code);
+    }
+
+    va_end(args);
+    error_printf("\n");
+}
+
+static void
+sftp_error_report(BDRVSSHState *s, const char *fs, ...)
+{
+    va_list args;
+
+    va_start(args, fs);
+    error_vprintf(fs, args);
+
+    if ((s)->sftp) {
+        char *ssh_err;
+        int ssh_err_code;
+        unsigned long sftp_err_code;
+
+        libssh2_session_last_error((s)->session, &ssh_err, NULL, 0);
+        /* This is not an errno.  See <libssh2.h>. */
+        ssh_err_code = libssh2_session_last_errno((s)->session);
+        /* See <libssh2_sftp.h>. */
+        sftp_err_code = libssh2_sftp_last_error((s)->sftp);
+
+        error_printf(": %s (libssh2 error code: %d, sftp error code: %lu)",
+                     ssh_err, ssh_err_code, sftp_err_code);
+    }
+
+    va_end(args);
+    error_printf("\n");
+}
+
+static int parse_uri(const char *filename, QDict *options, Error **errp)
+{
+    URI *uri = NULL;
+    QueryParams *qp = NULL;
+    int i;
+
+    uri = uri_parse(filename);
+    if (!uri) {
+        return -EINVAL;
+    }
+
+    if (strcmp(uri->scheme, "ssh") != 0) {
+        error_setg(errp, "URI scheme must be 'ssh'");
+        goto err;
+    }
+
+    if (!uri->server || strcmp(uri->server, "") == 0) {
+        error_setg(errp, "missing hostname in URI");
+        goto err;
+    }
+
+    if (!uri->path || strcmp(uri->path, "") == 0) {
+        error_setg(errp, "missing remote path in URI");
+        goto err;
+    }
+
+    qp = query_params_parse(uri->query);
+    if (!qp) {
+        error_setg(errp, "could not parse query parameters");
+        goto err;
+    }
+
+    if(uri->user && strcmp(uri->user, "") != 0) {
+        qdict_put(options, "user", qstring_from_str(uri->user));
+    }
+
+    qdict_put(options, "host", qstring_from_str(uri->server));
+
+    if (uri->port) {
+        qdict_put(options, "port", qint_from_int(uri->port));
+    }
+
+    qdict_put(options, "path", qstring_from_str(uri->path));
+
+    /* Pick out any query parameters that we understand, and ignore
+     * the rest.
+     */
+    for (i = 0; i < qp->n; ++i) {
+        if (strcmp(qp->p[i].name, "host_key_check") == 0) {
+            qdict_put(options, "host_key_check",
+                      qstring_from_str(qp->p[i].value));
+        }
+    }
+
+    query_params_free(qp);
+    uri_free(uri);
+    return 0;
+
+ err:
+    if (qp) {
+      query_params_free(qp);
+    }
+    if (uri) {
+      uri_free(uri);
+    }
+    return -EINVAL;
+}
+
+static void ssh_parse_filename(const char *filename, QDict *options,
+                               Error **errp)
+{
+    if (qdict_haskey(options, "user") ||
+        qdict_haskey(options, "host") ||
+        qdict_haskey(options, "port") ||
+        qdict_haskey(options, "path") ||
+        qdict_haskey(options, "host_key_check")) {
+        error_setg(errp, "user, host, port, path, host_key_check cannot be used at the same time as a file option");
+        return;
+    }
+
+    parse_uri(filename, options, errp);
+}
+
+static int check_host_key_knownhosts(BDRVSSHState *s,
+                                     const char *host, int port)
+{
+    const char *home;
+    char *knh_file = NULL;
+    LIBSSH2_KNOWNHOSTS *knh = NULL;
+    struct libssh2_knownhost *found;
+    int ret, r;
+    const char *hostkey;
+    size_t len;
+    int type;
+
+    hostkey = libssh2_session_hostkey(s->session, &len, &type);
+    if (!hostkey) {
+        ret = -EINVAL;
+        session_error_report(s, "failed to read remote host key");
+        goto out;
+    }
+
+    knh = libssh2_knownhost_init(s->session);
+    if (!knh) {
+        ret = -EINVAL;
+        session_error_report(s, "failed to initialize known hosts support");
+        goto out;
+    }
+
+    home = getenv("HOME");
+    if (home) {
+        knh_file = g_strdup_printf("%s/.ssh/known_hosts", home);
+    } else {
+        knh_file = g_strdup_printf("/root/.ssh/known_hosts");
+    }
+
+    /* Read all known hosts from OpenSSH-style known_hosts file. */
+    libssh2_knownhost_readfile(knh, knh_file, LIBSSH2_KNOWNHOST_FILE_OPENSSH);
+
+    r = libssh2_knownhost_checkp(knh, host, port, hostkey, len,
+                                 LIBSSH2_KNOWNHOST_TYPE_PLAIN|
+                                 LIBSSH2_KNOWNHOST_KEYENC_RAW,
+                                 &found);
+    switch (r) {
+    case LIBSSH2_KNOWNHOST_CHECK_MATCH:
+        /* OK */
+        DPRINTF("host key OK: %s", found->key);
+        break;
+    case LIBSSH2_KNOWNHOST_CHECK_MISMATCH:
+        ret = -EINVAL;
+        session_error_report(s, "host key does not match the one in known_hosts (found key %s)",
+                             found->key);
+        goto out;
+    case LIBSSH2_KNOWNHOST_CHECK_NOTFOUND:
+        ret = -EINVAL;
+        session_error_report(s, "no host key was found in known_hosts");
+        goto out;
+    case LIBSSH2_KNOWNHOST_CHECK_FAILURE:
+        ret = -EINVAL;
+        session_error_report(s, "failure matching the host key with known_hosts");
+        goto out;
+    default:
+        ret = -EINVAL;
+        session_error_report(s, "unknown error matching the host key with known_hosts (%d)",
+                             r);
+        goto out;
+    }
+
+    /* known_hosts checking successful. */
+    ret = 0;
+
+ out:
+    if (knh != NULL) {
+        libssh2_knownhost_free(knh);
+    }
+    g_free(knh_file);
+    return ret;
+}
+
+static unsigned hex2decimal(char ch)
+{
+    if (ch >= '0' && ch <= '9') {
+        return (ch - '0');
+    } else if (ch >= 'a' && ch <= 'f') {
+        return 10 + (ch - 'a');
+    } else if (ch >= 'A' && ch <= 'F') {
+        return 10 + (ch - 'A');
+    }
+
+    return -1;
+}
+
+/* Compare the binary fingerprint (hash of host key) with the
+ * host_key_check parameter.
+ */
+static int compare_fingerprint(const unsigned char *fingerprint, size_t len,
+                               const char *host_key_check)
+{
+    unsigned c;
+
+    while (len > 0) {
+        while (*host_key_check == ':')
+            host_key_check++;
+        if (!qemu_isxdigit(host_key_check[0]) ||
+            !qemu_isxdigit(host_key_check[1]))
+            return 1;
+        c = hex2decimal(host_key_check[0]) * 16 +
+            hex2decimal(host_key_check[1]);
+        if (c - *fingerprint != 0)
+            return c - *fingerprint;
+        fingerprint++;
+        len--;
+        host_key_check += 2;
+    }
+    return *host_key_check - '\0';
+}
+
+static int
+check_host_key_hash(BDRVSSHState *s, const char *hash,
+                    int hash_type, size_t fingerprint_len)
+{
+    const char *fingerprint;
+
+    fingerprint = libssh2_hostkey_hash(s->session, hash_type);
+    if (!fingerprint) {
+        session_error_report(s, "failed to read remote host key");
+        return -EINVAL;
+    }
+
+    if(compare_fingerprint((unsigned char *) fingerprint, fingerprint_len,
+                           hash) != 0) {
+        error_report("remote host key does not match host_key_check '%s'",
+                     hash);
+        return -EPERM;
+    }
+
+    return 0;
+}
+
+static int check_host_key(BDRVSSHState *s, const char *host, int port,
+                          const char *host_key_check)
+{
+    /* host_key_check=no */
+    if (strcmp(host_key_check, "no") == 0) {
+        return 0;
+    }
+
+    /* host_key_check=md5:xx:yy:zz:... */
+    if (strlen(host_key_check) >= 4 &&
+        strncmp(host_key_check, "md5:", 4) == 0) {
+        return check_host_key_hash(s, &host_key_check[4],
+                                   LIBSSH2_HOSTKEY_HASH_MD5, 16);
+    }
+
+    /* host_key_check=sha1:xx:yy:zz:... */
+    if (strlen(host_key_check) >= 5 &&
+        strncmp(host_key_check, "sha1:", 5) == 0) {
+        return check_host_key_hash(s, &host_key_check[5],
+                                   LIBSSH2_HOSTKEY_HASH_SHA1, 20);
+    }
+
+    /* host_key_check=yes */
+    if (strcmp(host_key_check, "yes") == 0) {
+        return check_host_key_knownhosts(s, host, port);
+    }
+
+    error_report("unknown host_key_check setting (%s)", host_key_check);
+    return -EINVAL;
+}
+
+static int authenticate(BDRVSSHState *s, const char *user)
+{
+    int r, ret;
+    const char *userauthlist;
+    LIBSSH2_AGENT *agent = NULL;
+    struct libssh2_agent_publickey *identity;
+    struct libssh2_agent_publickey *prev_identity = NULL;
+
+    userauthlist = libssh2_userauth_list(s->session, user, strlen(user));
+    if (strstr(userauthlist, "publickey") == NULL) {
+        ret = -EPERM;
+        error_report("remote server does not support \"publickey\" authentication");
+        goto out;
+    }
+
+    /* Connect to ssh-agent and try each identity in turn. */
+    agent = libssh2_agent_init(s->session);
+    if (!agent) {
+        ret = -EINVAL;
+        session_error_report(s, "failed to initialize ssh-agent support");
+        goto out;
+    }
+    if (libssh2_agent_connect(agent)) {
+        ret = -ECONNREFUSED;
+        session_error_report(s, "failed to connect to ssh-agent");
+        goto out;
+    }
+    if (libssh2_agent_list_identities(agent)) {
+        ret = -EINVAL;
+        session_error_report(s, "failed requesting identities from ssh-agent");
+        goto out;
+    }
+
+    for(;;) {
+        r = libssh2_agent_get_identity(agent, &identity, prev_identity);
+        if (r == 1) {           /* end of list */
+            break;
+        }
+        if (r < 0) {
+            ret = -EINVAL;
+            session_error_report(s, "failed to obtain identity from ssh-agent");
+            goto out;
+        }
+        r = libssh2_agent_userauth(agent, user, identity);
+        if (r == 0) {
+            /* Authenticated! */
+            ret = 0;
+            goto out;
+        }
+        /* Failed to authenticate with this identity, try the next one. */
+        prev_identity = identity;
+    }
+
+    ret = -EPERM;
+    error_report("failed to authenticate using publickey authentication "
+                 "and the identities held by your ssh-agent");
+
+ out:
+    if (agent != NULL) {
+        /* Note: libssh2 implementation implicitly calls
+         * libssh2_agent_disconnect if necessary.
+         */
+        libssh2_agent_free(agent);
+    }
+
+    return ret;
+}
+
+static int connect_to_ssh(BDRVSSHState *s, QDict *options,
+                          int ssh_flags, int creat_mode)
+{
+    int r, ret;
+    Error *err = NULL;
+    const char *host, *user, *path, *host_key_check;
+    int port;
+    char *hostport = NULL;
+
+    host = qdict_get_str(options, "host");
+
+    if (qdict_haskey(options, "port")) {
+        port = qdict_get_int(options, "port");
+    } else {
+        port = 22;
+    }
+
+    path = qdict_get_str(options, "path");
+
+    if (qdict_haskey(options, "user")) {
+        user = qdict_get_str(options, "user");
+    } else {
+        user = g_get_user_name();
+        if (!user) {
+            ret = -errno;
+            goto err;
+        }
+    }
+
+    if (qdict_haskey(options, "host_key_check")) {
+        host_key_check = qdict_get_str(options, "host_key_check");
+    } else {
+        host_key_check = "yes";
+    }
+
+    /* Open the socket and connect. */
+    hostport = g_strdup_printf("%s:%d", host, port);
+    s->sock = inet_connect(hostport, &err);
+    if (err != NULL) {
+        ret = -errno;
+        qerror_report_err(err);
+        error_free(err);
+        goto err;
+    }
+
+    /* Create SSH session. */
+    s->session = libssh2_session_init();
+    if (!s->session) {
+        ret = -EINVAL;
+        session_error_report(s, "failed to initialize libssh2 session");
+        goto err;
+    }
+
+#if TRACE_LIBSSH2 != 0
+    libssh2_trace(s->session, TRACE_LIBSSH2);
+#endif
+
+    r = libssh2_session_handshake(s->session, s->sock);
+    if (r != 0) {
+        ret = -EINVAL;
+        session_error_report(s, "failed to establish SSH session");
+        goto err;
+    }
+
+    /* Check the remote host's key against known_hosts. */
+    ret = check_host_key(s, host, port, host_key_check);
+    if (ret < 0) {
+        goto err;
+    }
+
+    /* Authenticate. */
+    ret = authenticate(s, user);
+    if (ret < 0) {
+        goto err;
+    }
+
+    /* Start SFTP. */
+    s->sftp = libssh2_sftp_init(s->session);
+    if (!s->sftp) {
+        session_error_report(s, "failed to initialize sftp handle");
+        ret = -EINVAL;
+        goto err;
+    }
+
+    /* Open the remote file. */
+    DPRINTF("opening file %s flags=0x%x creat_mode=0%o",
+            path, ssh_flags, creat_mode);
+    s->sftp_handle = libssh2_sftp_open(s->sftp, path, ssh_flags, creat_mode);
+    if (!s->sftp_handle) {
+        session_error_report(s, "failed to open remote file '%s'", path);
+        ret = -EINVAL;
+        goto err;
+    }
+
+    r = libssh2_sftp_fstat(s->sftp_handle, &s->attrs);
+    if (r < 0) {
+        sftp_error_report(s, "failed to read file attributes");
+        return -EINVAL;
+    }
+
+    /* Delete the options we've used; any not deleted will cause the
+     * block layer to give an error about unused options.
+     */
+    qdict_del(options, "host");
+    qdict_del(options, "port");
+    qdict_del(options, "user");
+    qdict_del(options, "path");
+    qdict_del(options, "host_key_check");
+
+    g_free(hostport);
+    return 0;
+
+ err:
+    if (s->sftp_handle) {
+        libssh2_sftp_close(s->sftp_handle);
+    }
+    s->sftp_handle = NULL;
+    if (s->sftp) {
+        libssh2_sftp_shutdown(s->sftp);
+    }
+    s->sftp = NULL;
+    if (s->session) {
+        libssh2_session_disconnect(s->session,
+                                   "from qemu ssh client: "
+                                   "error opening connection");
+        libssh2_session_free(s->session);
+    }
+    s->session = NULL;
+    g_free(hostport);
+
+    return ret;
+}
+
+static int ssh_file_open(BlockDriverState *bs, const char *filename,
+                         QDict *options, int bdrv_flags)
+{
+    BDRVSSHState *s = bs->opaque;
+    int ret;
+    int ssh_flags;
+
+    ssh_state_init(s);
+
+    ssh_flags = LIBSSH2_FXF_READ;
+    if (bdrv_flags & BDRV_O_RDWR) {
+        ssh_flags |= LIBSSH2_FXF_WRITE;
+    }
+
+    /* Start up SSH. */
+    ret = connect_to_ssh(s, options, ssh_flags, 0);
+    if (ret < 0) {
+        goto err;
+    }
+
+    /* Go non-blocking. */
+    libssh2_session_set_blocking(s->session, 0);
+
+    return 0;
+
+ err:
+    if (s->sock >= 0) {
+        close(s->sock);
+    }
+    s->sock = -1;
+
+    return ret;
+}
+
+static QEMUOptionParameter ssh_create_options[] = {
+    {
+        .name = BLOCK_OPT_SIZE,
+        .type = OPT_SIZE,
+        .help = "Virtual disk size"
+    },
+    { NULL }
+};
+
+static int ssh_create(const char *filename, QEMUOptionParameter *options)
+{
+    int r, ret;
+    Error *local_err = NULL;
+    int64_t total_size = 0;
+    QDict *uri_options = NULL;
+    BDRVSSHState s;
+    ssize_t r2;
+    char c[1] = { '\0' };
+
+    ssh_state_init(&s);
+
+    /* Get desired file size. */
+    while (options && options->name) {
+        if (!strcmp(options->name, BLOCK_OPT_SIZE)) {
+            total_size = options->value.n;
+        }
+        options++;
+    }
+    DPRINTF("total_size=%" PRIi64, total_size);
+
+    uri_options = qdict_new();
+    r = parse_uri(filename, uri_options, &local_err);
+    if (r < 0) {
+        qerror_report_err(local_err);
+        error_free(local_err);
+        ret = r;
+        goto out;
+    }
+
+    r = connect_to_ssh(&s, uri_options,
+                       LIBSSH2_FXF_READ|LIBSSH2_FXF_WRITE|
+                       LIBSSH2_FXF_CREAT|LIBSSH2_FXF_TRUNC, 0644);
+    if (r < 0) {
+        ret = r;
+        goto out;
+    }
+
+    if (total_size > 0) {
+        libssh2_sftp_seek64(s.sftp_handle, total_size-1);
+        r2 = libssh2_sftp_write(s.sftp_handle, c, 1);
+        if (r2 < 0) {
+            sftp_error_report(&s, "truncate failed");
+            ret = -EINVAL;
+            goto out;
+        }
+        s.attrs.filesize = total_size;
+    }
+
+    ret = 0;
+
+ out:
+    ssh_state_free(&s);
+    if (uri_options != NULL) {
+        QDECREF(uri_options);
+    }
+    return ret;
+}
+
+static void ssh_close(BlockDriverState *bs)
+{
+    BDRVSSHState *s = bs->opaque;
+
+    ssh_state_free(s);
+}
+
+static void restart_coroutine(void *opaque)
+{
+    Coroutine *co = opaque;
+
+    DPRINTF("co=%p", co);
+
+    qemu_coroutine_enter(co, NULL);
+}
+
+/* Always true because when we have called set_fd_handler there is
+ * always a request being processed.
+ */
+static int return_true(void *opaque)
+{
+    return 1;
+}
+
+static coroutine_fn void set_fd_handler(BDRVSSHState *s)
+{
+    int r;
+    IOHandler *rd_handler = NULL, *wr_handler = NULL;
+    Coroutine *co = qemu_coroutine_self();
+
+    r = libssh2_session_block_directions(s->session);
+
+    if (r & LIBSSH2_SESSION_BLOCK_INBOUND) {
+        rd_handler = restart_coroutine;
+    }
+    if (r & LIBSSH2_SESSION_BLOCK_OUTBOUND) {
+        wr_handler = restart_coroutine;
+    }
+
+    DPRINTF("s->sock=%d rd_handler=%p wr_handler=%p", s->sock,
+            rd_handler, wr_handler);
+
+    qemu_aio_set_fd_handler(s->sock, rd_handler, wr_handler, return_true, co);
+}
+
+static coroutine_fn void clear_fd_handler(BDRVSSHState *s)
+{
+    DPRINTF("s->sock=%d", s->sock);
+    qemu_aio_set_fd_handler(s->sock, NULL, NULL, NULL, NULL);
+}
+
+/* A non-blocking call returned EAGAIN, so yield, ensuring the
+ * handlers are set up so that we'll be rescheduled when there is an
+ * interesting event on the socket.
+ */
+static coroutine_fn void co_yield(BDRVSSHState *s)
+{
+    set_fd_handler(s);
+    qemu_coroutine_yield();
+    clear_fd_handler(s);
+}
+
+/* SFTP has a function `libssh2_sftp_seek64' which seeks to a position
+ * in the remote file.  Notice that it just updates a field in the
+ * sftp_handle structure, so there is no network traffic and it cannot
+ * fail.
+ *
+ * However, `libssh2_sftp_seek64' does have a catastrophic effect on
+ * performance since it causes the handle to throw away all in-flight
+ * reads and buffered readahead data.  Therefore this function tries
+ * to be intelligent about when to call the underlying libssh2 function.
+ */
+#define SSH_SEEK_WRITE 0
+#define SSH_SEEK_READ  1
+#define SSH_SEEK_FORCE 2
+
+static void ssh_seek(BDRVSSHState *s, int64_t offset, int flags)
+{
+    bool op_read = (flags & SSH_SEEK_READ) != 0;
+    bool force = (flags & SSH_SEEK_FORCE) != 0;
+
+    if (force || op_read != s->offset_op_read || offset != s->offset) {
+        DPRINTF("seeking to offset=%" PRIi64, offset);
+        libssh2_sftp_seek64(s->sftp_handle, offset);
+        s->offset = offset;
+        s->offset_op_read = op_read;
+    }
+}
+
+static coroutine_fn int ssh_read(BDRVSSHState *s,
+                                 int64_t offset, size_t size,
+                                 QEMUIOVector *qiov)
+{
+    ssize_t r;
+    size_t got;
+    char *buf, *end_of_vec;
+    struct iovec *i;
+
+    DPRINTF("offset=%" PRIi64 " size=%zu", offset, size);
+
+    ssh_seek(s, offset, SSH_SEEK_READ);
+
+    /* This keeps track of the current iovec element ('i'), where we
+     * will write to next ('buf'), and the end of the current iovec
+     * ('end_of_vec').
+     */
+    i = &qiov->iov[0];
+    buf = i->iov_base;
+    end_of_vec = i->iov_base + i->iov_len;
+
+    /* libssh2 has a hard-coded limit of 2000 bytes per request,
+     * although it will also do readahead behind our backs.  Therefore
+     * we may have to do repeated reads here until we have read 'size'
+     * bytes.
+     */
+    for (got = 0; got < size; ) {
+    again:
+        DPRINTF("sftp_read buf=%p size=%zu", buf, end_of_vec - buf);
+        r = libssh2_sftp_read(s->sftp_handle, buf, end_of_vec - buf);
+        DPRINTF("sftp_read returned %zd", r);
+
+        if (r == LIBSSH2_ERROR_EAGAIN || r == LIBSSH2_ERROR_TIMEOUT) {
+            co_yield(s);
+            goto again;
+        }
+        if (r < 0) {
+            sftp_error_report(s, "read failed");
+            s->offset = -1;
+            return -EIO;
+        }
+        if (r == 0) {
+            /* EOF: Short read so pad the buffer with zeroes and return it. */
+            qemu_iovec_memset(qiov, got, 0, size - got);
+            return 0;
+        }
+
+        got += r;
+        buf += r;
+        s->offset += r;
+        if (buf >= end_of_vec && got < size) {
+            i++;
+            buf = i->iov_base;
+            end_of_vec = i->iov_base + i->iov_len;
+        }
+    }
+
+    return 0;
+}
+
+static coroutine_fn int ssh_co_readv(BlockDriverState *bs,
+                                     int64_t sector_num,
+                                     int nb_sectors, QEMUIOVector *qiov)
+{
+    BDRVSSHState *s = bs->opaque;
+    int ret;
+
+    qemu_co_mutex_lock(&s->lock);
+    ret = ssh_read(s, sector_num * BDRV_SECTOR_SIZE,
+                   nb_sectors * BDRV_SECTOR_SIZE, qiov);
+    qemu_co_mutex_unlock(&s->lock);
+
+    return ret;
+}
+
+static int ssh_write(BDRVSSHState *s,
+                     int64_t offset, size_t size,
+                     QEMUIOVector *qiov)
+{
+    ssize_t r;
+    size_t written;
+    char *buf, *end_of_vec;
+    struct iovec *i;
+
+    DPRINTF("offset=%" PRIi64 " size=%zu", offset, size);
+
+    ssh_seek(s, offset, SSH_SEEK_WRITE);
+
+    /* This keeps track of the current iovec element ('i'), where we
+     * will read from next ('buf'), and the end of the current iovec
+     * ('end_of_vec').
+     */
+    i = &qiov->iov[0];
+    buf = i->iov_base;
+    end_of_vec = i->iov_base + i->iov_len;
+
+    for (written = 0; written < size; ) {
+    again:
+        DPRINTF("sftp_write buf=%p size=%zu", buf, end_of_vec - buf);
+        r = libssh2_sftp_write(s->sftp_handle, buf, end_of_vec - buf);
+        DPRINTF("sftp_write returned %zd", r);
+
+        if (r == LIBSSH2_ERROR_EAGAIN || r == LIBSSH2_ERROR_TIMEOUT) {
+            co_yield(s);
+            goto again;
+        }
+        if (r < 0) {
+            sftp_error_report(s, "write failed");
+            s->offset = -1;
+            return -EIO;
+        }
+        /* The libssh2 API is very unclear about this.  A comment in
+         * the code says "nothing was acked, and no EAGAIN was
+         * received!" which apparently means that no data got sent
+         * out, and the underlying channel didn't return any EAGAIN
+         * indication.  I think this is a bug in either libssh2 or
+         * OpenSSH (server-side).  In any case, forcing a seek (to
+         * discard libssh2 internal buffers), and then trying again
+         * works for me.
+         */
+        if (r == 0) {
+            ssh_seek(s, offset + written, SSH_SEEK_WRITE|SSH_SEEK_FORCE);
+            co_yield(s);
+            goto again;
+        }
+
+        written += r;
+        buf += r;
+        s->offset += r;
+        if (buf >= end_of_vec && written < size) {
+            i++;
+            buf = i->iov_base;
+            end_of_vec = i->iov_base + i->iov_len;
+        }
+
+        if (offset + written > s->attrs.filesize)
+            s->attrs.filesize = offset + written;
+    }
+
+    return 0;
+}
+
+static coroutine_fn int ssh_co_writev(BlockDriverState *bs,
+                                      int64_t sector_num,
+                                      int nb_sectors, QEMUIOVector *qiov)
+{
+    BDRVSSHState *s = bs->opaque;
+    int ret;
+
+    qemu_co_mutex_lock(&s->lock);
+    ret = ssh_write(s, sector_num * BDRV_SECTOR_SIZE,
+                    nb_sectors * BDRV_SECTOR_SIZE, qiov);
+    qemu_co_mutex_unlock(&s->lock);
+
+    return ret;
+}
+
+static int64_t ssh_getlength(BlockDriverState *bs)
+{
+    BDRVSSHState *s = bs->opaque;
+    int64_t length;
+
+    /* Note we cannot make a libssh2 call here. */
+    length = (int64_t) s->attrs.filesize;
+    DPRINTF("length=%" PRIi64, length);
+
+    return length;
+}
+
+static BlockDriver bdrv_ssh = {
+    .format_name                  = "ssh",
+    .protocol_name                = "ssh",
+    .instance_size                = sizeof(BDRVSSHState),
+    .bdrv_parse_filename          = ssh_parse_filename,
+    .bdrv_file_open               = ssh_file_open,
+    .bdrv_create                  = ssh_create,
+    .bdrv_close                   = ssh_close,
+    .bdrv_co_readv                = ssh_co_readv,
+    .bdrv_co_writev               = ssh_co_writev,
+    .bdrv_getlength               = ssh_getlength,
+    .create_options               = ssh_create_options,
+};
+
+static void bdrv_ssh_init(void)
+{
+    int r;
+
+    r = libssh2_init(0);
+    if (r != 0) {
+        fprintf(stderr, "libssh2 initialization failed, %d\n", r);
+        exit(EXIT_FAILURE);
+    }
+
+    bdrv_register(&bdrv_ssh);
+}
+
+block_init(bdrv_ssh_init);
diff --git a/configure b/configure
index 73df181..e6c5d2c 100755
--- a/configure
+++ b/configure
@@ -239,6 +239,7 @@
 gtk=""
 gtkabi="2.0"
 tpm="no"
+libssh2=""
 
 # parse CC options first
 for opt do
@@ -922,6 +923,10 @@
   ;;
   --enable-tpm) tpm="yes"
   ;;
+  --disable-libssh2) libssh2="no"
+  ;;
+  --enable-libssh2) libssh2="yes"
+  ;;
   *) echo "ERROR: unknown option $opt"; show_help="yes"
   ;;
   esac
@@ -1182,6 +1187,8 @@
 echo "  --enable-gcov            enable test coverage analysis with gcov"
 echo "  --gcov=GCOV              use specified gcov [$gcov_tool]"
 echo "  --enable-tpm             enable TPM support"
+echo "  --disable-libssh2        disable ssh block device support"
+echo "  --enable-libssh2         enable ssh block device support"
 echo ""
 echo "NOTE: The object files are built at the place where configure is launched"
 exit 1
@@ -2314,6 +2321,42 @@
 fi
 
 ##########################################
+# libssh2 probe
+if test "$libssh2" != "no" ; then
+  cat > $TMPC <<EOF
+#include <stdio.h>
+#include <libssh2.h>
+#include <libssh2_sftp.h>
+int main(void) {
+    LIBSSH2_SESSION *session;
+    session = libssh2_session_init ();
+    (void) libssh2_sftp_init (session);
+    return 0;
+}
+EOF
+
+  if $pkg_config libssh2 --modversion >/dev/null 2>&1; then
+    libssh2_cflags=`$pkg_config libssh2 --cflags`
+    libssh2_libs=`$pkg_config libssh2 --libs`
+  else
+    libssh2_cflags=
+    libssh2_libs="-lssh2"
+  fi
+
+  if compile_prog "$libssh2_cflags" "$libssh2_libs" ; then
+    libssh2=yes
+    libs_tools="$libssh2_libs $libs_tools"
+    libs_softmmu="$libssh2_libs $libs_softmmu"
+    QEMU_CFLAGS="$QEMU_CFLAGS $libssh2_cflags"
+  else
+    if test "$libssh2" = "yes" ; then
+      feature_not_found "libssh2"
+    fi
+    libssh2=no
+  fi
+fi
+
+##########################################
 # linux-aio probe
 
 if test "$linux_aio" != "no" ; then
@@ -3435,6 +3478,7 @@
 echo "gcov              $gcov_tool"
 echo "gcov enabled      $gcov"
 echo "TPM support       $tpm"
+echo "libssh2 support   $libssh2"
 
 if test "$sdl_too_old" = "yes"; then
 echo "-> Your SDL version is too old - please upgrade to have SDL support"
@@ -3793,6 +3837,10 @@
   echo "CONFIG_GLUSTERFS=y" >> $config_host_mak
 fi
 
+if test "$libssh2" = "yes" ; then
+  echo "CONFIG_LIBSSH2=y" >> $config_host_mak
+fi
+
 if test "$virtio_blk_data_plane" = "yes" ; then
   echo 'CONFIG_VIRTIO_BLK_DATA_PLANE=$(CONFIG_VIRTIO)' >> $config_host_mak
 fi
diff --git a/qemu-doc.texi b/qemu-doc.texi
index af84bef..5b36004 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -423,6 +423,7 @@
 * disk_images_sheepdog::      Sheepdog disk images
 * disk_images_iscsi::         iSCSI LUNs
 * disk_images_gluster::       GlusterFS disk images
+* disk_images_ssh::           Secure Shell (ssh) disk images
 @end menu
 
 @node disk_images_quickstart
@@ -1038,6 +1039,54 @@
 qemu-system-x86_64 -drive file=gluster+rdma://1.2.3.4:24007/testvol/a.img
 @end example
 
+@node disk_images_ssh
+@subsection Secure Shell (ssh) disk images
+
+You can access disk images located on a remote ssh server
+by using the ssh protocol:
+
+@example
+qemu-system-x86_64 -drive file=ssh://[@var{user}@@]@var{server}[:@var{port}]/@var{path}[?host_key_check=@var{host_key_check}]
+@end example
+
+Alternative syntax using properties:
+
+@example
+qemu-system-x86_64 -drive file.driver=ssh[,file.user=@var{user}],file.host=@var{server}[,file.port=@var{port}],file.path=@var{path}[,file.host_key_check=@var{host_key_check}]
+@end example
+
+@var{ssh} is the protocol.
+
+@var{user} is the remote user.  If not specified, then the local
+username is tried.
+
+@var{server} specifies the remote ssh server.  Any ssh server can be
+used, but it must implement the sftp-server protocol.  Most Unix/Linux
+systems should work without requiring any extra configuration.
+
+@var{port} is the port number on which sshd is listening.  By default
+the standard ssh port (22) is used.
+
+@var{path} is the path to the disk image.
+
+The optional @var{host_key_check} parameter controls how the remote
+host's key is checked.  The default is @code{yes} which means to use
+the local @file{.ssh/known_hosts} file.  Setting this to @code{no}
+turns off known-hosts checking.  Or you can check that the host key
+matches a specific fingerprint:
+@code{host_key_check=md5:78:45:8e:14:57:4f:d5:45:83:0a:0e:f3:49:82:c9:c8}
+(@code{sha1:} can also be used as a prefix, but note that OpenSSH
+tools only use MD5 to print fingerprints).
+
+Currently authentication must be done using ssh-agent.  Other
+authentication methods may be supported in future.
+
+Note: The ssh driver does not obey disk flush requests (ie. to commit
+data to the backing disk when the guest requests it).  This is because
+the underlying protocol (SFTP) does not support this.  Thus there is a
+risk of guest disk corruption if the remote server or network goes
+down during writes.
+
 @node pcsys_network
 @section Network emulation
 
diff --git a/qemu-options.hx b/qemu-options.hx
index 7cd6002..5c115d1 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -2107,6 +2107,18 @@
 qemu-system-i386 --drive file=nbd:unix:/tmp/nbd-socket
 @end example
 
+@item SSH
+QEMU supports SSH (Secure Shell) access to remote disks.
+
+Examples:
+@example
+qemu-system-i386 -drive file=ssh://user@@host/path/to/disk.img
+qemu-system-i386 -drive file.driver=ssh,file.user=user,file.host=host,file.port=22,file.path=/path/to/disk.img
+@end example
+
+Currently authentication must be done using ssh-agent.  Other
+authentication methods may be supported in future.
+
 @item Sheepdog
 Sheepdog is a distributed storage system for QEMU.
 QEMU supports using either local sheepdog devices or remote networked