Marius Bakke <mbakke@fastmail.com> writes:
Toggle quote (16 lines)
> Christopher Allan Webber <cwebber@dustycloud.org> writes:
>
>> Maxim Cournoyer writes:
>>
>>> +1. Although it means the keys will have to be copied by another mean
>>> than the "ssh-copy-id" script. Maybe the configuration could accept
>>> the public key? :) I haven't checked if this is already possible.
>>
>> We have discussed in the past having some service that just copies some
>> static files on init. That would be enough to set up public keys
>> appropriately.
>
> I think that can already be done with 'special-file-service-type'.
>
> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html
Will OpenSSH know where to look, in that case? I think a little more
work would be needed to tell OpenSSH where to look. For example, you
would have to customize the value of AuthorizedKeysFile in the OpenSSH
daemon's config file (see 'man opensshd_config' for details).
In any case, it would be better if we could hide all of that in the
abstraction we have for the OpenSSH service. For instance, it would be
nice if we could just specify the public keys in the operating system
configuration file, as part of the <openssh-configuration> record type.
Toggle quote (5 lines)
> Another approach could be a small program that reads a configuration
> file and can also pull from e.g. the ec2 metadata service which should
> work with many "cloud" providers. Similar to "cloud-init" but Guile of
> course :)
This topic has come up before. Cloud-init (specifically, the idea of
pulling SSH credentials in at first boot via the EC2 metadata service)
is a useful hack for systems that cannot be declaratively defined, but
for GuixSD it should not be needed. See here for details:
Somebody just needs to implement the changes to our OpenSSH service
abstraction so that we can declare the public keys in the operating
system configuration file. Of course, to deploy onto EC2 without manual
intervention would also require more changes, but that's a separate
issue from the issue of how to get credentials onto the host.
--
Chris
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGP0oACgkQ3UCaFdgi
Rp2esA/9EynXEf+d1ZILmFHnCLqhQxDV0tt8bk77NvfzSfIIDSJUFK67VrlvK0Ao
nQiJefk0oiS7/2amCr88tiwuz2n7F2Fq5quW+cd8qbrvQzV/A4+bkB/08lj+zuSB
XYzq3/6Gu27EEnEyrNlMjmGrgokBCxfjgiOPHQQnwa7jALjTE7S9sxQJkxeVPfE3
2uinXUGuRXWjjEdzaUA7K8QhfXWTft3A4W+XavtXYkeYksvJVTnwarE8GBwqucw0
Lqf2jMzs4KQGHQ7zkdbyjy4Sww0rBe6C+2oZMWOVKBAsp/dltacbNEK3IABKdl9b
CLKpSUjKMhzzyojJsKlCLqbGGpmarWWcnMUUlC541zwYpcEYxiuD4IEYMRdzFgzB
GyWZHT1oN9mvMN9Lm43kUlTXMxeSOLMew4DZQCVUS7whW1G4my6k80kEqj8si6SU
9bo+qVQWvdjsoG2am8oelG2CrTUlCipuPvVa4SXHheKk1Vtrncq/KYLuicShA2Qs
EP6AWRrV03LJnzyGo3XB3s9n16NyqhX3jSF9pWfMCUjnpwNMGUjq9Fw5OXawo9Vv
NjFxh1FvcYHhHOE6r8z4ojb+hHkopt1C7MPZC1Vwnzz+LG3Gv3rDaJSkPguaY+21
tNC1bNxy7wTFpDyKWigEHJGd1xcJu8nLUTC3bmw7JodypZ8VXbE=
=oGFT
-----END PGP SIGNATURE-----