[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How best to set host key in vm

From: Ludovic Courtès
Subject: Re: How best to set host key in vm
Date: Fri, 09 Feb 2018 12:02:59 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)


George myglc2 Clemmer <address@hidden> skribis:

> I want to set the host key in 'guix system vm-image' so that updating a
> VM config does not break that VM's host key entry in my client machine
> ~/.ssh/knownhosts files.  AFAIK there is no direct way to do this. I
> tried this ...
>   (services (cons*
>   [...]
>            (extra-special-file "/etc/ssh/ssh_host_ed25519_key"
>                                (local-file "ssh_host_ed25519_key"))
>            (extra-special-file "/etc/ssh/"
>                                (local-file ""))
>   )
> ... which does work but naturally throws errors ...
> localhost sshd[236]: error: 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> localhost sshd[236]: error: @         WARNING: UNPROTECTED PRIVATE KEY FILE!  
>         @
> localhost sshd[236]: error: 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

You should *not* do that, indeed, because the private key file ends up
in the store, and every file in the store is world-readable.  There’s no
way around it, currently at least.

The recommendation in this case is to use “out-of-band” storage—i.e.,
have the secrets stored in a place other than the store.

For example, you could have an activation snippet that copies secret
files directly to /etc, along these lines (untested):

  (simple-service 'copy-private-key activation-service-type
                  (with-imported-modules '((guix build utils))
                        (use-modules (guix build utils))
                        (mkdir-p "/etc/ssh")
                        (copy-file "/root/secrets/ssh_host_ed25519_key"

That means you have to arrange for /root/secrets/ssh_host_ed25519_key to
exist in the first place, but that’s pretty much all we can do.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]