From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms8.migadu.com with LMTPS id ULlgE139qmWtZQEAe85BDQ:P1 (envelope-from ) for ; Fri, 19 Jan 2024 23:53:17 +0100 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2.migadu.com with LMTPS id ULlgE139qmWtZQEAe85BDQ (envelope-from ) for ; Fri, 19 Jan 2024 23:53:17 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=fabionatali.com header.s=gm1 header.b=CqPhf83I; dmarc=pass (policy=reject) header.from=fabionatali.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1705704797; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=uAOMXRcE8pvpFhZvfSpmYkvBXR5dvWcYSjfBahiyKiQ=; b=LNfG5EejtJO3EybU6QkaFyH/OperSnzZGV36piDpn0UCmxr2AAED6fSU0GhnV/EUQbVtT3 /ulHJTaaZ5Y9QkrI9yAWqnbtBni80oEtLEZfZSxbNuOc2p5EQSU/u/GVEfzc4HMYJgC9to sLn8Vz+vjHg5wwhHNskYIaLGOuyX9HyvTrvMROK6lokz85MfVLWjrxuo3jRKMus2ETL1yb n5CA2GASOvAMwJRdBTTyAVDOoStpo8gCI0gahK+wIKBbERSYeuKnANFrZ3jIrpyKTNxq9B p7Dt2aeMOIvsitbzrSi12ZsU0yo92BLIqP+OIxCDKz9wlZiGa7YkWF86JyFM8g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=fabionatali.com header.s=gm1 header.b=CqPhf83I; dmarc=pass (policy=reject) header.from=fabionatali.com; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Seal: i=1; s=key1; d=yhetil.org; t=1705704797; a=rsa-sha256; cv=none; b=sc6xvAMA01DFc+HXns9YPHESv71YkZ1dmSNwzloE4oC9WWPCtyclM+NZVzHqHEKovkmE7Q yozMVVg44fmk9LE5oiq7INenAer84QwEC0RNGjPWjFADu8w9Gl0wXe4fybiTto1uSHgC+f JA8ug71tdJfexi4Yzl5o+i2gUNq+2CQvf3bzTCHYMNyf92yrudxJyXJBmzUQIjyQuT3bXd skOX4OdOHvaMTeyciWF+2bQ+wUSQ/SdNjtp4KAbHM/8fXcTt2ekaQ97+LdOkhSs8g+tkcH ibf1VzrQCjpumKMIcfr/KIV8B4urJjhe1EZ4iJil63egCHo61WNftmy+8YkS9w== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 35C973615C for ; Fri, 19 Jan 2024 23:53:17 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1rQxjB-00080s-GT; Fri, 19 Jan 2024 17:52:45 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rQxjA-00080j-0q for guix-devel@gnu.org; Fri, 19 Jan 2024 17:52:44 -0500 Received: from relay4-d.mail.gandi.net ([2001:4b98:dc4:8::224]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1rQxj8-0001pB-6D for guix-devel@gnu.org; Fri, 19 Jan 2024 17:52:43 -0500 Received: by mail.gandi.net (Postfix) with ESMTPSA id 2DF55E0002; Fri, 19 Jan 2024 22:52:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fabionatali.com; s=gm1; t=1705704757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=uAOMXRcE8pvpFhZvfSpmYkvBXR5dvWcYSjfBahiyKiQ=; b=CqPhf83IRfFsDWTQUdwq3RwKQamkpPpKenXACICaliuWiLbIyyJjb/Fw0yMV23gxDGn1eg 53kyMeZsrfFMzdxThqWt6EAJmOMGlWbXofNWHUACFzMdyxKMUUkgEWWvMIBYASGlIq8KRe X+7mMulfdGjjB4wpPu2PL39FStorNPJed4NFRnhK0JZTldDEtoCrMbzrONjoNVWr8zp1iG 5ipT7oCeuPcLn1ul/TJXrH7dyGbhfJH5viLORC9Cb/MAO1OtprR04PNwlmEe/pS90ly/Fa lISX8dc2uvYUP8ISetCj/m3rt7JuKj4AYHjwxg8pCCEdZ+7rSjapAwl4THGunA== From: Fabio Natali To: Felix Lechner , guix-devel@gnu.org Subject: Re: SSH key management for Guix cloud machines In-Reply-To: <87cytxywc1.fsf@lease-up.com> References: <87o7dhzcov.fsf@fabionatali.com> <87cytxywc1.fsf@lease-up.com> Date: Fri, 19 Jan 2024 22:52:34 +0000 Message-ID: <878r4lylzh.fsf@fabionatali.com> MIME-Version: 1.0 Content-Type: text/plain X-GND-Sasl: me@fabionatali.com Received-SPF: pass client-ip=2001:4b98:dc4:8::224; envelope-from=me@fabionatali.com; helo=relay4-d.mail.gandi.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Spam-Score: -7.09 X-Spam-Score: -7.09 X-Migadu-Queue-Id: 35C973615C X-Migadu-Scanner: mx12.migadu.com X-TUID: PKo0CEiO1BKe On 2024-01-19, 11:09 -0800, Felix Lechner wrote: > I publish my server-side keys via SSHFP records in a domain secured by > DNSSEC. Hi Felix, Thanks. How does the publishing happen exactly, if I may ask? Is it `ssh-keygen -r ...' + a web API call to the DNS provider? My problem with this is that I wouldn't want to include my API credentials in the Guix image. Unless there's a simpler alternative that doesn't require credentials and that I'm not seeing? For instance if the DNS functionality is provided by the hosting provider itself, then credentials might not be needed? Thanks, best wishes, Fabio. -- Fabio Natali https://fabionatali.com