Re: SSH key management for Guix cloud machines
On 2024-01-20, 20:14 -0800, Felix Lechner wrote: >> How does the publishing happen exactly > > You can query SSH server keys remotely [1] but I would deploy keys I > know already. Hi Felix, Thanks for getting back to me and sorry it took me so long to reply. Querying the SSH server would be a bit of a catch-22 situation though, unless the machine you're querying from is part of the same VPN as the server. While I do like the idea of using a DNS record, by itself this doesn't seem to solve the trust-on-first-use issue. I'd be fine with this solution, if the DNS were part of the same network as the newly installed server, but that's not my case. The other solution that comes to mind would involve: - some kind of cloud-init service that waits until the SSH key pair is generated and then communicates the public key to the cloud provider; - a cloud-init compliant cloud provider, that accepts the public key and then make it available to the user via a web dashboard. I think this is what some providers do with other system images? OTOH, UX-wise, this is much worse than the DNS record as it requires manual intervention. Let's see, maybe someone else might chime in with some other idea at some point. Thanks for now, cheers, Fabio. -- Fabio Natali https://fabionatali.com
Re: SSH key management for Guix cloud machines
Hi Fabio, On Fri, Jan 19 2024, Fabio Natali wrote: > How does the publishing happen exactly You can query SSH server keys remotely [1] but I would deploy keys I know already. Kind regards Felix [1] https://serverfault.com/a/1033095
Re: SSH key management for Guix cloud machines
On 2024-01-19, 11:09 -0800, Felix Lechner wrote: > I publish my server-side keys via SSHFP records in a domain secured by > DNSSEC. Hi Felix, Thanks. How does the publishing happen exactly, if I may ask? Is it `ssh-keygen -r ...' + a web API call to the DNS provider? My problem with this is that I wouldn't want to include my API credentials in the Guix image. Unless there's a simpler alternative that doesn't require credentials and that I'm not seeing? For instance if the DNS functionality is provided by the hosting provider itself, then credentials might not be needed? Thanks, best wishes, Fabio. -- Fabio Natali https://fabionatali.com
Re: SSH key management for Guix cloud machines
Hi Fabio, On Fri, Jan 19 2024, Fabio Natali wrote: > Is there any mechanism that would allow to access the server without > having to trust-on-first-use the server's fingerprint? I publish my server-side keys via SSHFP records in a domain secured by DNSSEC. When I add 'VerifyHostKeyDNS yes' to the client configuration file, there is no prompt. [1] Kind regards Felix [1] https://aye.sh/blog/sshfp-verification
SSH key management for Guix cloud machines
Hi All, I wanted to ask what the best practice is (or what people usually do) when it comes to SSH key management for Guix systems deployed in the cloud. In a nutshell, consider a cloud server that's been instantiated out of a Guix system image. Suppose that the image comes with a predefinded (passwordless) user and an authorised SSH key for remote access. On first access, the user is asked to verify and accept the server's SSH fingerprint, and rightfully so to protect against MITM attacks. Is there any mechanism that would allow to access the server without having to trust-on-first-use the server's fingerprint? In other words, once the server SSH key has been generated, is there any standard/common way to have the fingerprint published (or somehow "phoned home")? In the context of cloud-init, I think this is achieved via the Phone Home moduleā°. I believe Terraform and other orchestration tools also provide their own solution to this. Am I missing anything macroscopic here? Is there any similar SSH phone-home service under Guix? If not, would there be interest around such a service or potentially to have this functionality as part of the SSH service? A cheap (but convoluted) option would be to have the SSH fingerprint saved in /etc/issue. Some cloud providers allow the possibility to connect to the machine via a web console. A user would be able to use the web console to retrieve the key. A bit of a hack, to be honest. Any idea or comment welcome. Thanks, cheers, Fabio. - 0 https://cloudinit.readthedocs.io/en/latest/reference/modules.html#phone-home -- Fabio Natali https://fabionatali.com