unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* How best to set host key in vm
@ 2018-02-06 20:58 George myglc2 Clemmer
  2018-02-09 11:02 ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: George myglc2 Clemmer @ 2018-02-06 20:58 UTC (permalink / raw)
  To: help-guix

I want to set the host key in 'guix system vm-image' so that updating a
VM config does not break that VM's host key entry in my client machine
~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
tried this ...

  (services (cons*
  [...]
	     (extra-special-file "/etc/ssh/ssh_host_ed25519_key"
				 (local-file "ssh_host_ed25519_key"))
	     (extra-special-file "/etc/ssh/ssh_host_ed25519_key.pub"
   				 (local-file "ssh_host_ed25519_key.pub"))
  )

... which does work but naturally throws errors ...

localhost sshd[236]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
localhost sshd[236]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
localhost sshd[236]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
localhost sshd[236]: error: Permissions 0444 for '/etc/ssh/ssh_host_ed25519_key' are too open.
localhost sshd[236]: error: It is required that your private key files are NOT accessible by others.
localhost sshd[236]: error: This private key will be ignored.
localhost sshd[236]: error: key_load_private: bad permissions localhost sshd[236]: error: Could not load host key:/etc/ssh/ssh_host_ed25519_key
localhost sshd[236]: Accepted publickey for g1 from 192.168.1.14 port 56311 ssh2: RSA SHA256:RAXP4+5SU3UN09NL+QwkQmAsLIoDa8Wq6Bi61DzUScY

When I specifyed only the public key, new private and public keys were
generated by, I guess, the first boot.

Suggestions? TIA - George

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How best to set host key in vm
  2018-02-06 20:58 How best to set host key in vm George myglc2 Clemmer
@ 2018-02-09 11:02 ` Ludovic Courtès
  2018-02-09 17:55   ` George myglc2 Clemmer
  0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2018-02-09 11:02 UTC (permalink / raw)
  To: George myglc2 Clemmer; +Cc: help-guix

Heya,

George myglc2 Clemmer <myglc2@gmail.com> skribis:

> I want to set the host key in 'guix system vm-image' so that updating a
> VM config does not break that VM's host key entry in my client machine
> ~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
> tried this ...
>
>   (services (cons*
>   [...]
> 	     (extra-special-file "/etc/ssh/ssh_host_ed25519_key"
> 				 (local-file "ssh_host_ed25519_key"))
> 	     (extra-special-file "/etc/ssh/ssh_host_ed25519_key.pub"
>    				 (local-file "ssh_host_ed25519_key.pub"))
>   )
>
> ... which does work but naturally throws errors ...
>
> localhost sshd[236]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> localhost sshd[236]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> localhost sshd[236]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

You should *not* do that, indeed, because the private key file ends up
in the store, and every file in the store is world-readable.  There’s no
way around it, currently at least.

The recommendation in this case is to use “out-of-band” storage—i.e.,
have the secrets stored in a place other than the store.

For example, you could have an activation snippet that copies secret
files directly to /etc, along these lines (untested):

  (simple-service 'copy-private-key activation-service-type
                  (with-imported-modules '((guix build utils))
                    #~(begin
                        (use-modules (guix build utils))
                        (mkdir-p "/etc/ssh")
                        (copy-file "/root/secrets/ssh_host_ed25519_key"
                                   "/etc/ssh/ssh_host_ed25519_key'))))

That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
exist in the first place, but that’s pretty much all we can do.

HTH!

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How best to set host key in vm
  2018-02-09 11:02 ` Ludovic Courtès
@ 2018-02-09 17:55   ` George myglc2 Clemmer
  2018-02-15 14:51     ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: George myglc2 Clemmer @ 2018-02-09 17:55 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: help-guix

On 02/09/2018 at 11:02 Ludovic Courtès writes:

> George myglc2 Clemmer <myglc2@gmail.com> skribis:
>
>> I want to set the host key in 'guix system vm-image' so that updating a
>> VM config does not break that VM's host key entry in my client machine
>> ~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
>> tried this ...

> The recommendation in this case is to use “out-of-band” storage—i.e.,
> have the secrets stored in a place other than the store.
>
> For example, you could have an activation snippet that copies secret
> files directly to /etc, along these lines (untested):
>
>   (simple-service 'copy-private-key activation-service-type
>                   (with-imported-modules '((guix build utils))
>                     #~(begin
>                         (use-modules (guix build utils))
>                         (mkdir-p "/etc/ssh")
>                         (copy-file "/root/secrets/ssh_host_ed25519_key"
>                                    "/etc/ssh/ssh_host_ed25519_key'))))
>
> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
> exist in the first place, but that’s pretty much all we can do.

Thank you. So what is an easily-automated way to populate /root/secrets?
Is there a tests module that I should hack?

TIA - George

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How best to set host key in vm
  2018-02-09 17:55   ` George myglc2 Clemmer
@ 2018-02-15 14:51     ` Ludovic Courtès
  2018-02-15 15:21       ` George myglc2 Clemmer
  0 siblings, 1 reply; 6+ messages in thread
From: Ludovic Courtès @ 2018-02-15 14:51 UTC (permalink / raw)
  To: George myglc2 Clemmer; +Cc: help-guix

George myglc2 Clemmer <myglc2@gmail.com> skribis:

> On 02/09/2018 at 11:02 Ludovic Courtès writes:
>
>> George myglc2 Clemmer <myglc2@gmail.com> skribis:
>>
>>> I want to set the host key in 'guix system vm-image' so that updating a
>>> VM config does not break that VM's host key entry in my client machine
>>> ~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
>>> tried this ...
>
>> The recommendation in this case is to use “out-of-band” storage—i.e.,
>> have the secrets stored in a place other than the store.
>>
>> For example, you could have an activation snippet that copies secret
>> files directly to /etc, along these lines (untested):
>>
>>   (simple-service 'copy-private-key activation-service-type
>>                   (with-imported-modules '((guix build utils))
>>                     #~(begin
>>                         (use-modules (guix build utils))
>>                         (mkdir-p "/etc/ssh")
>>                         (copy-file "/root/secrets/ssh_host_ed25519_key"
>>                                    "/etc/ssh/ssh_host_ed25519_key'))))
>>
>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
>> exist in the first place, but that’s pretty much all we can do.
>
> Thank you. So what is an easily-automated way to populate /root/secrets?

Guix doesn’t have any helper module/tool for that yet.

Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that
would copy a file from the host into the image.  We’d have to be careful
with the implementation to make sure that it doesn’t end up in the host
store nor in the guest store.

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How best to set host key in vm
  2018-02-15 14:51     ` Ludovic Courtès
@ 2018-02-15 15:21       ` George myglc2 Clemmer
  2018-02-16 10:17         ` Ludovic Courtès
  0 siblings, 1 reply; 6+ messages in thread
From: George myglc2 Clemmer @ 2018-02-15 15:21 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: help-guix

Hi Ludo’,

On 02/15/2018 at 14:51 Ludovic Courtès writes:

> George myglc2 Clemmer <myglc2@gmail.com> skribis:
>
>> On 02/09/2018 at 11:02 Ludovic Courtès writes:
>>
>>> George myglc2 Clemmer <myglc2@gmail.com> skribis:
>>>
>>>> I want to set the host key in 'guix system vm-image' so that updating a
>>>> VM config does not break that VM's host key entry in my client machine
>>>> ~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
>>>> tried this ...
>>
>>> The recommendation in this case is to use “out-of-band” storage—i.e.,
>>> have the secrets stored in a place other than the store.
>>>
>>> For example, you could have an activation snippet that copies secret
>>> files directly to /etc, along these lines (untested):
>>>
>>>   (simple-service 'copy-private-key activation-service-type
>>>                   (with-imported-modules '((guix build utils))
>>>                     #~(begin
>>>                         (use-modules (guix build utils))
>>>                         (mkdir-p "/etc/ssh")
>>>                         (copy-file "/root/secrets/ssh_host_ed25519_key"
>>>                                    "/etc/ssh/ssh_host_ed25519_key'))))
>>>
>>> That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
>>> exist in the first place, but that’s pretty much all we can do.
>>
>> Thank you. So what is an easily-automated way to populate /root/secrets?
>
> Guix doesn’t have any helper module/tool for that yet.
>
> Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that
> would copy a file from the host into the image.  We’d have to be careful
> with the implementation to make sure that it doesn’t end up in the host
> store nor in the guest store.

How about a '--copy-image=<imagefile>' option that copies the image out
of the store? Then the ‘--copy’ could operate on <imagefile> and fail
if it isn't specified.

- George

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: How best to set host key in vm
  2018-02-15 15:21       ` George myglc2 Clemmer
@ 2018-02-16 10:17         ` Ludovic Courtès
  0 siblings, 0 replies; 6+ messages in thread
From: Ludovic Courtès @ 2018-02-16 10:17 UTC (permalink / raw)
  To: George myglc2 Clemmer; +Cc: help-guix

Hi George,

George myglc2 Clemmer <myglc2@gmail.com> skribis:

> On 02/15/2018 at 14:51 Ludovic Courtès writes:

[...]

>> Perhaps ‘guix system vm-image’ could include a ‘--copy’ option that
>> would copy a file from the host into the image.  We’d have to be careful
>> with the implementation to make sure that it doesn’t end up in the host
>> store nor in the guest store.
>
> How about a '--copy-image=<imagefile>' option that copies the image out
> of the store? Then the ‘--copy’ could operate on <imagefile> and fail
> if it isn't specified.

Yeah, perhaps we’d have to do something like that.

Ludo’.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2018-02-16 10:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-06 20:58 How best to set host key in vm George myglc2 Clemmer
2018-02-09 11:02 ` Ludovic Courtès
2018-02-09 17:55   ` George myglc2 Clemmer
2018-02-15 14:51     ` Ludovic Courtès
2018-02-15 15:21       ` George myglc2 Clemmer
2018-02-16 10:17         ` Ludovic Courtès

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).