How best to set host key in vm
I want to set the host key in 'guix system vm-image' so that updating a VM config does not break that VM's host key entry in my client machine ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I tried this ... (services (cons* [...] (extra-special-file "/etc/ssh/ssh_host_ed25519_key" (local-file "ssh_host_ed25519_key")) (extra-special-file "/etc/ssh/ssh_host_ed25519_key.pub" (local-file "ssh_host_ed25519_key.pub")) ) ... which does work but naturally throws errors ... localhost sshd[236]: error: @@@ localhost sshd[236]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ localhost sshd[236]: error: @@@ localhost sshd[236]: error: Permissions 0444 for '/etc/ssh/ssh_host_ed25519_key' are too open. localhost sshd[236]: error: It is required that your private key files are NOT accessible by others. localhost sshd[236]: error: This private key will be ignored. localhost sshd[236]: error: key_load_private: bad permissions localhost sshd[236]: error: Could not load host key:/etc/ssh/ssh_host_ed25519_key localhost sshd[236]: Accepted publickey for g1 from 192.168.1.14 port 56311 ssh2: RSA SHA256:RAXP4+5SU3UN09NL+QwkQmAsLIoDa8Wq6Bi61DzUScY When I specifyed only the public key, new private and public keys were generated by, I guess, the first boot. Suggestions? TIA - George
Re: How best to set host key in vm
Heya, George myglc2 Clemmer skribis: > I want to set the host key in 'guix system vm-image' so that updating a > VM config does not break that VM's host key entry in my client machine > ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I > tried this ... > > (services (cons* > [...] >(extra-special-file "/etc/ssh/ssh_host_ed25519_key" >(local-file "ssh_host_ed25519_key")) >(extra-special-file "/etc/ssh/ssh_host_ed25519_key.pub" >(local-file "ssh_host_ed25519_key.pub")) > ) > > ... which does work but naturally throws errors ... > > localhost sshd[236]: error: > @@@ > localhost sshd[236]: error: @ WARNING: UNPROTECTED PRIVATE KEY FILE! > @ > localhost sshd[236]: error: > @@@ You should *not* do that, indeed, because the private key file ends up in the store, and every file in the store is world-readable. There’s no way around it, currently at least. The recommendation in this case is to use “out-of-band” storage—i.e., have the secrets stored in a place other than the store. For example, you could have an activation snippet that copies secret files directly to /etc, along these lines (untested): (simple-service 'copy-private-key activation-service-type (with-imported-modules '((guix build utils)) #~(begin (use-modules (guix build utils)) (mkdir-p "/etc/ssh") (copy-file "/root/secrets/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key' That means you have to arrange for /root/secrets/ssh_host_ed25519_key to exist in the first place, but that’s pretty much all we can do. HTH! Ludo’.
Re: How best to set host key in vm
On 02/09/2018 at 11:02 Ludovic Courtès writes: > George myglc2 Clemmer skribis: > >> I want to set the host key in 'guix system vm-image' so that updating a >> VM config does not break that VM's host key entry in my client machine >> ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I >> tried this ... > The recommendation in this case is to use “out-of-band” storage—i.e., > have the secrets stored in a place other than the store. > > For example, you could have an activation snippet that copies secret > files directly to /etc, along these lines (untested): > > (simple-service 'copy-private-key activation-service-type > (with-imported-modules '((guix build utils)) > #~(begin > (use-modules (guix build utils)) > (mkdir-p "/etc/ssh") > (copy-file "/root/secrets/ssh_host_ed25519_key" >"/etc/ssh/ssh_host_ed25519_key' > > That means you have to arrange for /root/secrets/ssh_host_ed25519_key to > exist in the first place, but that’s pretty much all we can do. Thank you. So what is an easily-automated way to populate /root/secrets? Is there a tests module that I should hack? TIA - George
Re: How best to set host key in vm
George myglc2 Clemmer skribis: > On 02/09/2018 at 11:02 Ludovic Courtès writes: > >> George myglc2 Clemmer skribis: >> >>> I want to set the host key in 'guix system vm-image' so that updating a >>> VM config does not break that VM's host key entry in my client machine >>> ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I >>> tried this ... > >> The recommendation in this case is to use “out-of-band” storage—i.e., >> have the secrets stored in a place other than the store. >> >> For example, you could have an activation snippet that copies secret >> files directly to /etc, along these lines (untested): >> >> (simple-service 'copy-private-key activation-service-type >> (with-imported-modules '((guix build utils)) >> #~(begin >> (use-modules (guix build utils)) >> (mkdir-p "/etc/ssh") >> (copy-file "/root/secrets/ssh_host_ed25519_key" >>"/etc/ssh/ssh_host_ed25519_key' >> >> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to >> exist in the first place, but that’s pretty much all we can do. > > Thank you. So what is an easily-automated way to populate /root/secrets? Guix doesn’t have any helper module/tool for that yet. Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that would copy a file from the host into the image. We’d have to be careful with the implementation to make sure that it doesn’t end up in the host store nor in the guest store. Ludo’.
Re: How best to set host key in vm
Hi Ludo’, On 02/15/2018 at 14:51 Ludovic Courtès writes: > George myglc2 Clemmer skribis: > >> On 02/09/2018 at 11:02 Ludovic Courtès writes: >> >>> George myglc2 Clemmer skribis: >>> I want to set the host key in 'guix system vm-image' so that updating a VM config does not break that VM's host key entry in my client machine ~/.ssh/knownhosts files. AFAIK there is no direct way to do this. I tried this ... >> >>> The recommendation in this case is to use “out-of-band” storage—i.e., >>> have the secrets stored in a place other than the store. >>> >>> For example, you could have an activation snippet that copies secret >>> files directly to /etc, along these lines (untested): >>> >>> (simple-service 'copy-private-key activation-service-type >>> (with-imported-modules '((guix build utils)) >>> #~(begin >>> (use-modules (guix build utils)) >>> (mkdir-p "/etc/ssh") >>> (copy-file "/root/secrets/ssh_host_ed25519_key" >>>"/etc/ssh/ssh_host_ed25519_key' >>> >>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to >>> exist in the first place, but that’s pretty much all we can do. >> >> Thank you. So what is an easily-automated way to populate /root/secrets? > > Guix doesn’t have any helper module/tool for that yet. > > Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that > would copy a file from the host into the image. We’d have to be careful > with the implementation to make sure that it doesn’t end up in the host > store nor in the guest store. How about a '--copy-image=' option that copies the image out of the store? Then the ‘--copy’ could operate on and fail if it isn't specified. - George
Re: How best to set host key in vm
Hi George, George myglc2 Clemmer skribis: > On 02/15/2018 at 14:51 Ludovic Courtès writes: [...] >> Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that >> would copy a file from the host into the image. We’d have to be careful >> with the implementation to make sure that it doesn’t end up in the host >> store nor in the guest store. > > How about a '--copy-image=' option that copies the image out > of the store? Then the ‘--copy’ could operate on and fail > if it isn't specified. Yeah, perhaps we’d have to do something like that. Ludo’.
