On Thu, Aug 17, 2023 at 09:30:24PM +0200, Hartmut Goebel wrote: > Hello Efraim, > > Am 13.08.23 um 16:58 schrieb Efraim Flashner: > > I feel compelled to ask if the key must be in > > ~vagrant/.ssh/authorized_keys or if /etc/ssh/authorized_keys.d/vagrant > > is acceptable. > > I'm afraid it needs to be in ~vagrant/.ssh/authorized_keys: When first > booting the machine, Vagrant logs into it and replaces the key. Thus the > user vagrant must be allowed to change the respective file. > > Why are you asking? What would be easier (in respect of not re-installing > the key), if putting the key into /etc/ssh/authorized_keys.d/vagrant would > work? There's already tooling available to place a key in /etc/ssh/authorized_keys.d/vagrant, and when you include an os-config in the image you can leave that line out. That way it'll be there in the initial image when it is created (and when /etc is populated on first boot) but it would disappear on reconfigure. I suppose another option would be a one-off service that checks if ~vagrant/.ssh/authorized_keys exists, and if it doesn't then create one with the desired key and chown and chmod ~/.ssh to vagrant. > > Also, could you use /etc/services or another file in /etc/static as a > > marker that the system has been booted at least once before? > > Such a marker would be okay. Anyhow to make this work, some respective new > service would need to detect this quite early, before /etc/service gets > linked. Otherwise the service could not distinguish between "first" and "at > least once"- Or did I misse something? > > Is there some means of ordering service execution/start? I'd have to dive into the internals of system bring up a bit, but if I understand correctly before first boot there's a series of derivations that get combined together during boot to create the actual running system. Then after first boot they "actually live in their final locations", and get swapped out on reconfigure. So before first boot there's a bunch of files in /etc that aren't actually present yet, but after first boot they've been linked into place. I mostly got this from building system images so its definitely possible that I've understood it incorrectly. Also as I think about it more, other than depending on some filesystem service, I'm not sure what you could depend on that would definitely slot in correctly to run on first-boot. I suppose /etc/ssh/ssh_host_ed25519_key won't be there on first boot, but you'd still basically be racing the openssh-service. -- Efraim Flashner רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted