From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms8.migadu.com with LMTPS
	id oD6mJSj1s2X1qwAAe85BDQ:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 26 Jan 2024 19:08:40 +0100
Received: from aspmx1.migadu.com ([2001:41d0:403:4876::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2.migadu.com with LMTPS
	id oD6mJSj1s2X1qwAAe85BDQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 26 Jan 2024 19:08:40 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=fabionatali.com header.s=gm1 header.b=PrjKOqd+;
	dmarc=pass (policy=reject) header.from=fabionatali.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1706292520; a=rsa-sha256; cv=none;
	b=CBh10epTnZW0EMv/KaLxP2LNRVBRcNflOHo3X6W898vMQiKhxGtzPrUZG3keNUkqcR4eK8
	5Fx7NEx2kKFw5MkAETSRKUeq30vhVu1T9CR0p03uTfxbaCzo8Au6Ilb3crgFNLqIlwEgZB
	KqzguBjMA0diF5XphhR4QBUXbWcCmqvEIziWOiuf6exV7RG4jVjDVsq6nLdypFULVySmfw
	8uCHCmiPa5YvSIbhAM1XhreOUQEiFJ/2nHw+TT6fiIZy87ftZu9pvuJ5TzNrBgwaBI5AY3
	kFzWP9jJrWhD8F28SNfIoYvUm77pF+z8HEEvUBe0k3FIbPDQTUBnHcJVfjqVBA==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=fabionatali.com header.s=gm1 header.b=PrjKOqd+;
	dmarc=pass (policy=reject) header.from=fabionatali.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1706292520;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=sU819kqsIkh2dk7rHPItvWj1HjWWS8IVjll/KJmmsjw=;
	b=OA7Wfe0MKAQCV0iaUl3rE6TSS9JBUZTmrK7bv/jZPe5QwsWebsF1zhis/4vhMyUJbN/Gfp
	PHIni46Xa3F9iOP2Z9xspOgQud5M4A+BzGg9lSMo7xuo/dbwK0vm7Pu9GKkafiFc7wRZ/m
	Z9epy1qfR7DHQOYX/2nI36Lax8NNbVXCl8BWt6lGD94fMKTcuek0HgkvGsU4l2wvh6SBHf
	VWXnE/VunuXWQD72c3eONIikd+aGR8nu8+e4PqNezuPFEqepxBkRmlEOLJjwI/8VqwaJF8
	zl4ZwlM0JMELuA5dlirTfSNjDK9K6zpF2cJxrQH/+wiZNqajM3pkhZ4a3TQP2A==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 845182505B
	for <larch@yhetil.org>; Fri, 26 Jan 2024 19:08:40 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rTQcS-0000pY-JK; Fri, 26 Jan 2024 13:08:00 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@fabionatali.com>)
 id 1rTQcR-0000nq-Kd
 for guix-devel@gnu.org; Fri, 26 Jan 2024 13:07:59 -0500
Received: from relay8-d.mail.gandi.net ([217.70.183.201])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@fabionatali.com>)
 id 1rTQcP-0001ed-UV
 for guix-devel@gnu.org; Fri, 26 Jan 2024 13:07:59 -0500
Received: by mail.gandi.net (Postfix) with ESMTPSA id 4CED31BF204;
 Fri, 26 Jan 2024 18:07:52 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fabionatali.com;
 s=gm1; t=1706292473;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 in-reply-to:in-reply-to:references:references;
 bh=sU819kqsIkh2dk7rHPItvWj1HjWWS8IVjll/KJmmsjw=;
 b=PrjKOqd+FdmGb20prAYkQik49lBJgSN5BiiQG0l9gHx6dULDBp/zqgr2nOjKN++1DkmK/t
 70yDQMizEbng4LfquKbHdzge0cZDSl8C8WAGH8VfEXjhvCTajy9EoOrrgvbAMSJrl0Z+3h
 w7mQxxuUwxpynNH3+uTyZe/GLg2zY5nuKjIf3fwlsV25sJiS5QYRV8h5SRVg8Hcd+rKe3t
 FT1OCdVSB14DFFmR3p75XKVPRKFRayZ4mJGBSecxsLFjFCGZiceVAM0jMaH69h+LoQ4ndC
 tKiDPdY5JhI/FVvlekZ4SbyPhrTbncrY4Nd7EaF8Lc5WzBYTTJZDuYR3fpuTyQ==
From: Fabio Natali <me@fabionatali.com>
To: Felix Lechner <felix.lechner@lease-up.com>, guix-devel@gnu.org
Subject: Re: SSH key management for Guix cloud machines
In-Reply-To: <87v87nxqyx.fsf@lease-up.com>
References: <87o7dhzcov.fsf@fabionatali.com> <87cytxywc1.fsf@lease-up.com>
 <878r4lylzh.fsf@fabionatali.com> <87v87nxqyx.fsf@lease-up.com>
Date: Fri, 26 Jan 2024 18:07:51 +0000
Message-ID: <877cjwj7d4.fsf@fabionatali.com>
MIME-Version: 1.0
Content-Type: text/plain
X-GND-Sasl: me@fabionatali.com
Received-SPF: pass client-ip=217.70.183.201; envelope-from=me@fabionatali.com;
 helo=relay8-d.mail.gandi.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Scanner: mx10.migadu.com
X-Spam-Score: -9.23
X-Migadu-Queue-Id: 845182505B
X-Migadu-Spam-Score: -9.23
X-TUID: NILoz3NQ6cTF

On 2024-01-20, 20:14 -0800, Felix Lechner <felix.lechner@lease-up.com> wrote:
>> How does the publishing happen exactly
>
> You can query SSH server keys remotely [1] but I would deploy keys I
> know already.

Hi Felix,

Thanks for getting back to me and sorry it took me so long to reply.

Querying the SSH server would be a bit of a catch-22 situation though,
unless the machine you're querying from is part of the same VPN as the
server.

While I do like the idea of using a DNS record, by itself this doesn't
seem to solve the trust-on-first-use issue. I'd be fine with this
solution, if the DNS were part of the same network as the newly
installed server, but that's not my case.

The other solution that comes to mind would involve:

- some kind of cloud-init service that waits until the SSH key pair is
  generated and then communicates the public key to the cloud provider;
- a cloud-init compliant cloud provider, that accepts the public key and
  then make it available to the user via a web dashboard.

I think this is what some providers do with other system images?

OTOH, UX-wise, this is much worse than the DNS record as it requires
manual intervention.

Let's see, maybe someone else might chime in with some other idea at
some point.

Thanks for now, cheers, Fabio.


-- 
Fabio Natali
https://fabionatali.com