From mboxrd@z Thu Jan  1 00:00:00 1970
From: George myglc2 Clemmer <myglc2@gmail.com>
Subject: How best to set host key in vm
Date: Tue, 06 Feb 2018 15:58:16 -0500
Message-ID: <86tvut25uf.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:52747)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <myglc2@gmail.com>) id 1ejAJq-0003Iy-Hl
	for help-guix@gnu.org; Tue, 06 Feb 2018 15:58:23 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <myglc2@gmail.com>) id 1ejAJn-0004UT-7i
	for help-guix@gnu.org; Tue, 06 Feb 2018 15:58:22 -0500
Received: from mail-qk0-x235.google.com ([2607:f8b0:400d:c09::235]:40115)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <myglc2@gmail.com>) id 1ejAJn-0004UG-2h
	for help-guix@gnu.org; Tue, 06 Feb 2018 15:58:19 -0500
Received: by mail-qk0-x235.google.com with SMTP id e20so879972qkm.7
	for <help-guix@gnu.org>; Tue, 06 Feb 2018 12:58:18 -0800 (PST)
Received: from g1 (c-73-167-118-254.hsd1.ma.comcast.net. [73.167.118.254])
	by smtp.gmail.com with ESMTPSA id
	d20sm7921813qte.88.2018.02.06.12.58.16 for <help-guix@gnu.org>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Tue, 06 Feb 2018 12:58:17 -0800 (PST)
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: help-guix <help-guix@gnu.org>

I want to set the host key in 'guix system vm-image' so that updating a
VM config does not break that VM's host key entry in my client machine
~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
tried this ...

  (services (cons*
  [...]
	     (extra-special-file "/etc/ssh/ssh_host_ed25519_key"
				 (local-file "ssh_host_ed25519_key"))
	     (extra-special-file "/etc/ssh/ssh_host_ed25519_key.pub"
   				 (local-file "ssh_host_ed25519_key.pub"))
  )

... which does work but naturally throws errors ...

localhost sshd[236]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
localhost sshd[236]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
localhost sshd[236]: error: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
localhost sshd[236]: error: Permissions 0444 for '/etc/ssh/ssh_host_ed25519_key' are too open.
localhost sshd[236]: error: It is required that your private key files are NOT accessible by others.
localhost sshd[236]: error: This private key will be ignored.
localhost sshd[236]: error: key_load_private: bad permissions localhost sshd[236]: error: Could not load host key:/etc/ssh/ssh_host_ed25519_key
localhost sshd[236]: Accepted publickey for g1 from 192.168.1.14 port 56311 ssh2: RSA SHA256:RAXP4+5SU3UN09NL+QwkQmAsLIoDa8Wq6Bi61DzUScY

When I specifyed only the public key, new private and public keys were
generated by, I guess, the first boot.

Suggestions? TIA - George