From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp0.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms8.migadu.com with LMTPS
	id 0Hj2ATF2qmWaCQEAqHPOHw:P1
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 19 Jan 2024 14:16:33 +0100
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0.migadu.com with LMTPS
	id 0Hj2ATF2qmWaCQEAqHPOHw
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 19 Jan 2024 14:16:33 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=fabionatali.com header.s=gm1 header.b=PUnpHMI9;
	dmarc=pass (policy=reject) header.from=fabionatali.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1705670192;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=Jv7WCwfyXDI2Sej2eEGDNTEVs5a9/3rSszT054FGh6s=;
	b=Lq0ojrb3/Bxde2DHLX3lCIRFxwRcWblQBn1ATUtKpbIQLT7YjMUQHzui2+kgU16MnIoGpL
	iODpoIEn6OcGezq1QjzYBAGXYFl51dLwo2/NXW224jou8AyAA8cigddjk7qFwzdA6U3EMB
	6wmtVKikisIJeNBbwCztAUL72CA75lw4eEij8BFyC8HQOUNIQJiOQcCHdY1cyTA/9CyJB1
	bvxzNUuUXGyn+TpDytAOC3od+AUgFLofm5gC4Dzqb2sbyoDowGY5guRBWZvZ3jLIbJkVVH
	TD3jI6L/E6DR5NMQnCpwDI8FCL5jo35QGWC1T2V1YkLMYXXS2zxpYpBMV3POww==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=fabionatali.com header.s=gm1 header.b=PUnpHMI9;
	dmarc=pass (policy=reject) header.from=fabionatali.com;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1705670192; a=rsa-sha256; cv=none;
	b=msFo9bdf9fyDwB7kG5DoEy0Zz05Yey58PKrxZl32IWZABEfpl6MnhmZ3ntdcvM3dIkKsX3
	TkmNcE2huVb5KPZdlbaQaLwgqStICXporvz1TIsHNPk55TLoxoTAdzFSds9eS7GeG+HnR7
	7ixJzJR2+QYeBhoItPBTsDQk++wb23/oksaW9rGpT7A128Qbsv9M+i3irOg5bfozTKaeyB
	saD+IZzsodMkIYPWzNRc09nZyhpB82YrKMOEC7gAVqFIT1Se40vDPKUHNge4BpyfGu5BxK
	WF58QGmqd/qh+F54RcNs9aWiwAoCVdp2vfCzFyrhbDcB/lg5324fHQdadl1Q3A==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id DDF33128F3
	for <larch@yhetil.org>; Fri, 19 Jan 2024 14:16:32 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1rQoiw-0001Ea-RP; Fri, 19 Jan 2024 08:15:54 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@fabionatali.com>)
 id 1rQoit-0001CA-J0
 for guix-devel@gnu.org; Fri, 19 Jan 2024 08:15:52 -0500
Received: from relay1-d.mail.gandi.net ([217.70.183.193])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@fabionatali.com>)
 id 1rQoiq-0002xW-Uj
 for guix-devel@gnu.org; Fri, 19 Jan 2024 08:15:50 -0500
Received: by mail.gandi.net (Postfix) with ESMTPSA id DBBB0240004
 for <guix-devel@gnu.org>; Fri, 19 Jan 2024 13:15:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fabionatali.com;
 s=gm1; t=1705670145;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=Jv7WCwfyXDI2Sej2eEGDNTEVs5a9/3rSszT054FGh6s=;
 b=PUnpHMI9wzSNVZa1bI04Q2HmsKuApX/0p7sblHr338OSxMy/Rp5A4r8L0mgNkKbUTsRJrH
 1cKpQPvIsLhocaLgAHE1sJrULnB2P/XppnCPWoV4tIkmOrKGiqiA2NA38caqE3HeHvJ8qg
 d38FesB+OkAS7eOZ/XKVhCFiQfMFXvYZN0FPTNHX97AixjDEDbMYb8J0+fu/is8HMo5jzU
 u439QvObq0XDuGJ0yNxYtOrL/O8PP7KCmqMMwFg6Bfbk1woTyY4jaHsgA2eHc7XB77s1Eu
 q/xDQUg9kLa71AFht1Et+UZciC/0fxMG3uR5aLzdS+Oqs5NBhZUxnOkLDoKIlQ==
From: Fabio Natali <me@fabionatali.com>
To: guix-devel@gnu.org
Subject: SSH key management for Guix cloud machines
Date: Fri, 19 Jan 2024 13:15:44 +0000
Message-ID: <87o7dhzcov.fsf@fabionatali.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-GND-Sasl: me@fabionatali.com
Received-SPF: pass client-ip=217.70.183.193; envelope-from=me@fabionatali.com;
 helo=relay1-d.mail.gandi.net
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Spam-Score: -4.99
X-Spam-Score: -4.99
X-Migadu-Queue-Id: DDF33128F3
X-Migadu-Scanner: mx12.migadu.com
X-TUID: 8C/0QgS2UgFm

Hi All,

I wanted to ask what the best practice is (or what people usually do)
when it comes to SSH key management for Guix systems deployed in the
cloud.

In a nutshell, consider a cloud server that's been instantiated out of a
Guix system image. Suppose that the image comes with a predefinded
(passwordless) user and an authorised SSH key for remote access.

On first access, the user is asked to verify and accept the server's SSH
fingerprint, and rightfully so to protect against MITM attacks.

Is there any mechanism that would allow to access the server without
having to trust-on-first-use the server's fingerprint?

In other words, once the server SSH key has been generated, is there any
standard/common way to have the fingerprint published (or somehow
"phoned home")?

In the context of cloud-init, I think this is achieved via the Phone
Home module=E2=81=B0. I believe Terraform and other orchestration tools also
provide their own solution to this.

Am I missing anything macroscopic here? Is there any similar SSH
phone-home service under Guix? If not, would there be interest around
such a service or potentially to have this functionality as part of the
SSH service?

A cheap (but convoluted) option would be to have the SSH fingerprint
saved in /etc/issue. Some cloud providers allow the possibility to
connect to the machine via a web console. A user would be able to use
the web console to retrieve the key. A bit of a hack, to be honest.

Any idea or comment welcome.

Thanks, cheers,

Fabio.


- 0 https://cloudinit.readthedocs.io/en/latest/reference/modules.html#phone=
-home


--=20
Fabio Natali
https://fabionatali.com