* SSH key management for Guix cloud machines
@ 2024-01-19 13:15 Fabio Natali
2024-01-19 19:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
0 siblings, 1 reply; 5+ messages in thread
From: Fabio Natali @ 2024-01-19 13:15 UTC (permalink / raw)
To: guix-devel
Hi All,
I wanted to ask what the best practice is (or what people usually do)
when it comes to SSH key management for Guix systems deployed in the
cloud.
In a nutshell, consider a cloud server that's been instantiated out of a
Guix system image. Suppose that the image comes with a predefinded
(passwordless) user and an authorised SSH key for remote access.
On first access, the user is asked to verify and accept the server's SSH
fingerprint, and rightfully so to protect against MITM attacks.
Is there any mechanism that would allow to access the server without
having to trust-on-first-use the server's fingerprint?
In other words, once the server SSH key has been generated, is there any
standard/common way to have the fingerprint published (or somehow
"phoned home")?
In the context of cloud-init, I think this is achieved via the Phone
Home module⁰. I believe Terraform and other orchestration tools also
provide their own solution to this.
Am I missing anything macroscopic here? Is there any similar SSH
phone-home service under Guix? If not, would there be interest around
such a service or potentially to have this functionality as part of the
SSH service?
A cheap (but convoluted) option would be to have the SSH fingerprint
saved in /etc/issue. Some cloud providers allow the possibility to
connect to the machine via a web console. A user would be able to use
the web console to retrieve the key. A bit of a hack, to be honest.
Any idea or comment welcome.
Thanks, cheers,
Fabio.
- 0 https://cloudinit.readthedocs.io/en/latest/reference/modules.html#phone-home
--
Fabio Natali
https://fabionatali.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SSH key management for Guix cloud machines
2024-01-19 13:15 SSH key management for Guix cloud machines Fabio Natali
@ 2024-01-19 19:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-19 22:52 ` Fabio Natali
0 siblings, 1 reply; 5+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2024-01-19 19:09 UTC (permalink / raw)
To: Fabio Natali, guix-devel
Hi Fabio,
On Fri, Jan 19 2024, Fabio Natali wrote:
> Is there any mechanism that would allow to access the server without
> having to trust-on-first-use the server's fingerprint?
I publish my server-side keys via SSHFP records in a domain secured by
DNSSEC. When I add 'VerifyHostKeyDNS yes' to the client configuration
file, there is no prompt. [1]
Kind regards
Felix
[1] https://aye.sh/blog/sshfp-verification
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SSH key management for Guix cloud machines
2024-01-19 19:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2024-01-19 22:52 ` Fabio Natali
2024-01-21 4:14 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
0 siblings, 1 reply; 5+ messages in thread
From: Fabio Natali @ 2024-01-19 22:52 UTC (permalink / raw)
To: Felix Lechner, guix-devel
On 2024-01-19, 11:09 -0800, Felix Lechner <felix.lechner@lease-up.com> wrote:
> I publish my server-side keys via SSHFP records in a domain secured by
> DNSSEC.
Hi Felix,
Thanks.
How does the publishing happen exactly, if I may ask? Is it `ssh-keygen
-r ...' + a web API call to the DNS provider?
My problem with this is that I wouldn't want to include my API
credentials in the Guix image. Unless there's a simpler alternative that
doesn't require credentials and that I'm not seeing? For instance if the
DNS functionality is provided by the hosting provider itself, then
credentials might not be needed?
Thanks, best wishes, Fabio.
--
Fabio Natali
https://fabionatali.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SSH key management for Guix cloud machines
2024-01-19 22:52 ` Fabio Natali
@ 2024-01-21 4:14 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-26 18:07 ` Fabio Natali
0 siblings, 1 reply; 5+ messages in thread
From: Felix Lechner via Development of GNU Guix and the GNU System distribution. @ 2024-01-21 4:14 UTC (permalink / raw)
To: Fabio Natali, guix-devel
Hi Fabio,
On Fri, Jan 19 2024, Fabio Natali wrote:
> How does the publishing happen exactly
You can query SSH server keys remotely [1] but I would deploy keys I
know already.
Kind regards
Felix
[1] https://serverfault.com/a/1033095
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: SSH key management for Guix cloud machines
2024-01-21 4:14 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
@ 2024-01-26 18:07 ` Fabio Natali
0 siblings, 0 replies; 5+ messages in thread
From: Fabio Natali @ 2024-01-26 18:07 UTC (permalink / raw)
To: Felix Lechner, guix-devel
On 2024-01-20, 20:14 -0800, Felix Lechner <felix.lechner@lease-up.com> wrote:
>> How does the publishing happen exactly
>
> You can query SSH server keys remotely [1] but I would deploy keys I
> know already.
Hi Felix,
Thanks for getting back to me and sorry it took me so long to reply.
Querying the SSH server would be a bit of a catch-22 situation though,
unless the machine you're querying from is part of the same VPN as the
server.
While I do like the idea of using a DNS record, by itself this doesn't
seem to solve the trust-on-first-use issue. I'd be fine with this
solution, if the DNS were part of the same network as the newly
installed server, but that's not my case.
The other solution that comes to mind would involve:
- some kind of cloud-init service that waits until the SSH key pair is
generated and then communicates the public key to the cloud provider;
- a cloud-init compliant cloud provider, that accepts the public key and
then make it available to the user via a web dashboard.
I think this is what some providers do with other system images?
OTOH, UX-wise, this is much worse than the DNS record as it requires
manual intervention.
Let's see, maybe someone else might chime in with some other idea at
some point.
Thanks for now, cheers, Fabio.
--
Fabio Natali
https://fabionatali.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-01-26 18:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-19 13:15 SSH key management for Guix cloud machines Fabio Natali
2024-01-19 19:09 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-19 22:52 ` Fabio Natali
2024-01-21 4:14 ` Felix Lechner via Development of GNU Guix and the GNU System distribution.
2024-01-26 18:07 ` Fabio Natali
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.