SSH key management for Guix cloud machines

SSH key management for Guix cloud machines

[Fabio Natali]

Hi All,

I wanted to ask what the best practice is (or what people usually do)
when it comes to SSH key management for Guix systems deployed in the
cloud.

In a nutshell, consider a cloud server that's been instantiated out of a
Guix system image. Suppose that the image comes with a predefinded
(passwordless) user and an authorised SSH key for remote access.

On first access, the user is asked to verify and accept the server's SSH
fingerprint, and rightfully so to protect against MITM attacks.

Is there any mechanism that would allow to access the server without
having to trust-on-first-use the server's fingerprint?

In other words, once the server SSH key has been generated, is there any
standard/common way to have the fingerprint published (or somehow
"phoned home")?

In the context of cloud-init, I think this is achieved via the Phone
Home module⁰. I believe Terraform and other orchestration tools also
provide their own solution to this.

Am I missing anything macroscopic here? Is there any similar SSH
phone-home service under Guix? If not, would there be interest around
such a service or potentially to have this functionality as part of the
SSH service?

A cheap (but convoluted) option would be to have the SSH fingerprint
saved in /etc/issue. Some cloud providers allow the possibility to
connect to the machine via a web console. A user would be able to use
the web console to retrieve the key. A bit of a hack, to be honest.

Any idea or comment welcome.

Thanks, cheers,

Fabio.


- 0 https://cloudinit.readthedocs.io/en/latest/reference/modules.html#phone-home


-- 
Fabio Natali
https://fabionatali.com

Re: SSH key management for Guix cloud machines

[Felix Lechner via Development of GNU Guix and the GNU System distribution.]

Hi Fabio,

On Fri, Jan 19 2024, Fabio Natali wrote:

> Is there any mechanism that would allow to access the server without
> having to trust-on-first-use the server's fingerprint?

I publish my server-side keys via SSHFP records in a domain secured by
DNSSEC. When I add 'VerifyHostKeyDNS yes' to the client configuration
file, there is no prompt. [1]

Kind regards
Felix

[1] https://aye.sh/blog/sshfp-verification

Re: SSH key management for Guix cloud machines

[Fabio Natali]

On 2024-01-19, 11:09 -0800, Felix Lechner <felix.lechner@lease-up.com> wrote:
> I publish my server-side keys via SSHFP records in a domain secured by
> DNSSEC.

Hi Felix,

Thanks.

How does the publishing happen exactly, if I may ask? Is it `ssh-keygen
-r ...' + a web API call to the DNS provider?

My problem with this is that I wouldn't want to include my API
credentials in the Guix image. Unless there's a simpler alternative that
doesn't require credentials and that I'm not seeing? For instance if the
DNS functionality is provided by the hosting provider itself, then
credentials might not be needed?

Thanks, best wishes, Fabio.


-- 
Fabio Natali
https://fabionatali.com

Re: SSH key management for Guix cloud machines

[Felix Lechner via Development of GNU Guix and the GNU System distribution.]

Hi Fabio,

On Fri, Jan 19 2024, Fabio Natali wrote:

> How does the publishing happen exactly

You can query SSH server keys remotely [1] but I would deploy keys I
know already.

Kind regards
Felix

[1] https://serverfault.com/a/1033095

Re: SSH key management for Guix cloud machines

[Fabio Natali]

On 2024-01-20, 20:14 -0800, Felix Lechner <felix.lechner@lease-up.com> wrote:
>> How does the publishing happen exactly
>
> You can query SSH server keys remotely [1] but I would deploy keys I
> know already.

Hi Felix,

Thanks for getting back to me and sorry it took me so long to reply.

Querying the SSH server would be a bit of a catch-22 situation though,
unless the machine you're querying from is part of the same VPN as the
server.

While I do like the idea of using a DNS record, by itself this doesn't
seem to solve the trust-on-first-use issue. I'd be fine with this
solution, if the DNS were part of the same network as the newly
installed server, but that's not my case.

The other solution that comes to mind would involve:

- some kind of cloud-init service that waits until the SSH key pair is
  generated and then communicates the public key to the cloud provider;
- a cloud-init compliant cloud provider, that accepts the public key and
  then make it available to the user via a web dashboard.

I think this is what some providers do with other system images?

OTOH, UX-wise, this is much worse than the DNS record as it requires
manual intervention.

Let's see, maybe someone else might chime in with some other idea at
some point.

Thanks for now, cheers, Fabio.


-- 
Fabio Natali
https://fabionatali.com