enable different user logins through virtme ssh client #273
Conversation
andreasgrapentin
force-pushed
the
feat/ssh-user
branch
from
f10fd75 to
e1a35c1
Compare
virtme/guest/virtme-sshd-script
Outdated
| chown -R root:root "${SSH_DIR}"/etc/ssh | ||
| chmod 600 "${SSH_DIR}"/etc/ssh/ssh_host_*_key | ||
| chmod 644 "${SSH_DIR}"/etc/ssh/ssh_host_*_key.pub | ||
| chmod 644 "${SSH_AUTH_KEYS}" |
There was a problem hiding this comment.
Can we merge this into the previous chmod (so can save a chmod exec)?
There was a problem hiding this comment.
sure, no problem. will fix this up with the next commit.
There was a problem hiding this comment.
fixed up in 845579b
virtme/guest/virtme-sshd-script
Outdated
|
|
||
| # use an ssh location OUTSIDE of the users home directory to enable sharing | ||
| # of host keys and authorized keys without dubious permission errors | ||
| SSH_DIR=/opt/virtme/sshd |
There was a problem hiding this comment.
Can we use /run/sshd as SSH_DIR, which is already created above?
There was a problem hiding this comment.
I considered using a directory below /run, but this causes sshd to reject the authorized_keys file:
Authentication refused: bad ownership or modes for directory /run
in the virtme guest, /run has mode 0777, even though on the host it has 0755. I'm not exactly sure why that is, and I didn't want to mess around with rootfs permissions, that was the reason for opting for /opt :)
There was a problem hiding this comment.
but we can move the mkdir into the if [ ! -e "${SSH_HOME}" ] block, so that we only run into that exec on the unlikely path.
There was a problem hiding this comment.
or get rid of it entirely, because it is covered already in
mkdir -p "${SSH_CACHE}"/etc/ssh
later in the script.
There was a problem hiding this comment.
If there's a way to not depend on /opt and reuse one of the existent paths it'd be nicer, /opt should always be present, but people are using vng in many different environments, also minimal chroots, so we need to make sure we pick a top dir that always exists and where we can write to.
There was a problem hiding this comment.
is it a problem if /opt does not exist? the root directory should be writable for the guest, right? so we would just create /opt if it's missing?
There was a problem hiding this comment.
Ah, no it actually isn't writable, that's interesting.
how about /var/lib/virtme/sshd, or /tmp/virtme/sshd?
There was a problem hiding this comment.
I pushed a new commit that changes the mode of /run to 755 instead of the default 777 when mounting in virtme-init (both bash and rust)
that seems to be a sane enough change, and it allows us to place the keys in /run/sshd without running into dubious permission errors.
There was a problem hiding this comment.
I like this a lot more, also /run should be 755, that's the standard, so even if we break something then we'll fix that. We should be consistent with the standard. :)
pass the value of the --user parameter to ssh through -l, also modify the virtme-sshd-script run on the guest to store host keys and authorized_keys file in a non-dubious location for sshd. Signed-off-by: Andreas Grapentin <gra@linux.ibm.com>
/run was mounted as tmpfs with default permissions 777, and as such was not accepted as suitable location for host keys and authorized keys by sshd. fix by mounting with mode 0755 and use as sshd location. Signed-off-by: Andreas Grapentin <gra@linux.ibm.com>
andreasgrapentin
force-pushed
the
feat/ssh-user
branch
from
e1a35c1 to
fa3dd0a
Compare
|
One small comment, we have to document this :) Because this can be pretty useful. |
(This is a bit of a follow-up to PR #261)
While testing with the improved ssh connection through vsock, I intuitively expected to be able to select the login user through the
--userparameter when passed to virtme_ng along with--ssh-client, but it seems like that parameter is silently ignored.This PR proposes a slightly modified implementation that passes the
--userparameter along with the ssh command through ssh's-lparameter.This also requires some modifications to the sshd script that is started from
initin the guest, because storing the host keys and authorized_keys file somewhere under the current users home directory causes sshd to deny logins with dubious permission errors for other users, such as root. So instead, this PR moves everything to/opt/virtme/sshdas a safe system location and fixes up permissions as necessary.