Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
We take advantage of loading systemd system credentials based on smbios type 11 strings and QEMU’s vsock feature. Here is the list of recognized system credentials.
The important bit passing down the following argument to qemu
$ qemu-system-x86_64 # ... -device vhost-vsock-pci,guest-cid=$cid \ -smbios type=11,value=io.systemd.credential.binary:ssh.ephemeral-authorized_keys-all=$base64_ssh_keylibvirt allows setting smbios11 as <oemStrings> and defining virtual sockets.
Under GNOME boxes, go to the VM configuration. The important bit is setting a smbios under os, adding a vsock device and the sysinfo domain. E.g.
<domain type="kvm"> <!-- ... other domains --> <os firmware="efi"> <!-- ... other os info --> <smbios mode="sysinfo"/> </os> <sysinfo type='smbios'> <oemStrings> <entry>io.systemd.credential.binary:ssh.ephemeral-authorized_keys-all=$base64_ssh_key</entry> </oemStrings> </sysinfo> <devices> <!-- ... other devices --> <vsock model="virtio"> <cid auto="no" address="$cid"/> </vsock> </devices> </domain>Here $cid needs to be replaced by a numerical value bigger than 2 and
$base64_ssh_key is the base64-encoded public SSH key, we use $cid=3 here. One can encode a public SSH key via
<~/.ssh/id_ed25519.pub base64 -w0Ensure you can decode it back before proceeding!!
echo -n "output from above" | base64 -dThen inside of the VM, verify the smbios 11 key is visible,
$ run0 systemd-analyze smbios11 io.systemd.credential.binary:ssh.ephemeral-authorized_keys-all=$base64_ssh_key… 1 SMBIOS Type #11 strings passed.on the guest’s journal one should see:
$ run0 journalctl -b -g 'ssh.ephemeral-authorized_keys-all' Jun 18 00:11:06 gnomeos-11e6-75db systemd[1]: Received regular credentials: ssh.ephemeral-authorized_keys-alland one can verify it via:
$ run0 systemd-creds --system list NAME SECURE SIZE PATH ssh.ephemeral-authorized_keys-all secure 97B /run/credentials/@system/ssh.ephemeral-authorized_keys-all $ systemd-creds --system cat ssh.ephemeral-authorized_keys-allNow that everything is set, and the sshd service is running inside the VM:
systemctl enable --now sshd.serviceone can ssh into the VM via:
ssh $user@vsock/$cidwhere $user is the username inside of the VM and $cid as above, in my example:
ssh msandova@vsock/3This requires systemd-ssh-proxy on the host, should be included in v257 or newer.
Note that scp has a slightly different syntax, e.g.
scp $FILES msandova@vsock%3:$PATHRead more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.
Read more of this story at Slashdot.