Skip to content

Switch to authorized keys for image login#124

Open
alexhulbert wants to merge 117 commits intomainfrom
ah/simple-ssh
Open

Switch to authorized keys for image login#124
alexhulbert wants to merge 117 commits intomainfrom
ah/simple-ssh

Conversation

@alexhulbert
Copy link
Member

@alexhulbert alexhulbert commented Mar 18, 2026

Currently, devtools images can't be safely used in situations where they are accessible over the public internet. This is for a few reasons:

  • The devtools images allow password-based root login
  • The devtools images allow logging in over the serial console

The current L2 merge branch works around this by creating custom modules that disable these two features. However, this works around functionality that shouldn't be enabled by default in the first place.

This PR disables password-based root login and the serial console in devtools images (there is no passwd entry for root, so it will never allow any login even if someone somehow managed to get a login prompt). This means that the only way to log in to a devtools image is via injecting an authorized_keys file into the image.

To make this injection easier, the PR also allows you to add an authorized_keys file to mkosi.profiles/devtools. It will inject this file for you automatically into dev builds. This file is gitignored too, so you don't need to worry about committing it.

To enable the original serial console / password-based login functionality, you can add SERIAL_CONSOLE=true to the end of a make build-dev command.

0x416e746f6e and others added 30 commits November 4, 2025 17:12
@0x416e746f6e
chore: move persistent-mount under bob
10ab948
@0x416e746f6e
chore: tidy up gitignore
4a1202d
@0x416e746f6e
fix: specify the package during rust builds
447a823
@0x416e746f6e
feat: implement blanket gcp image build
145218b
@0x416e746f6e
fix: measurement output
c8dc66e
@0x416e746f6e
feat: use available resources + 2.0 readiness
323947c
@0x416e746f6e
feat: add preflight command
ed22ad0
@ilyaluk
use fixed time in kernel build
7e48660
@0x416e746f6e
fix: "normalise" yocto kernel
c41a2cd
@0x416e746f6e
fix: "normalise" ubuntu kernel config snippet
865b9f8
@0x416e746f6e
feat: allow modular kernel config snippets
7ad9288
@0x416e746f6e
feat: add reproducibility check
9c28591
@0x416e746f6e
feat: implement base l2 image
e85b24d
@0x416e746f6e
fix: build profile-less base
77f5ff3
@0x416e746f6e
feat: implement op-rbuilder image
427002a
@Melvillian
fix: fix setup_lima when run on a mac
0b05056 
Prior to this commit, env_wrapper's 'setup_lima' command would only work for Linux
because it uses the 'nproc' and 'free' shell commands, which do not exist on Mac.
Now, the script detects the platform and uses the appropriate shell commands
@0x416e746f6e
Merge pull request #44 from Melvillian/add-mac-cpu-and-memory-cli-com…
570bce3 
…mands

fix: fix setup_lima when run on a mac
@0x416e746f6e
chore: use reth 1.9.2 + fixes
37bd948
@ilyaluk
fix cmake under apple silicon
c8a56c2
@ilyaluk
disable saving gcp measurements to file
8bf1851
@alexhulbert
Update GCP measurement tool to latest version
82d871d
@alexhulbert
Switch to official fluent-bit build
0254a5a
@alexhulbert
Fix gcp measurement cmdline
8fe02a3
@alexhulbert
Pin Debian archive
4de008e
@alexhulbert
Update measurement code again
29504ab
@0x416e746f6e
chore: tidy-up
119c18a 
(move snippets around to the right places)
@0x416e746f6e
chore: drop unused code
76a69d3
@0x416e746f6e
fix: bail out if curl is not installed
e7954c7
@0x416e746f6e
fix: downgrade to 1.8.4 op-reth
26bff23
@0x416e746f6e
fix: revert away from official fluent-bit build
cf2f4b2
0x416e746f6e and others added 23 commits March 16, 2026 15:01
@0x416e746f6e
fix: make sure to update hostname on boot
4502994
@0x416e746f6e
chore: bump max image size to 1Gb
808b521
@0x416e746f6e
feat: generate build-manifest
6c8effe
@0x416e746f6e
feat: implement builder images
a8781a6
@0x416e746f6e
feat: implement simulator image
3bed38d
@0x416e746f6e
fix: enable non-root users to login on dev images
cf08312
@0x416e746f6e
fix: move services under minimal.target
a7c0430
@0x416e746f6e
fix: use local gcp dns
4c2495e
@0x416e746f6e
feat: implement console-less dev images
bc98e23
@0x416e746f6e
chore: disable console
af44ebf
@0x416e746f6e
feat: implement disabling root login on dev images
0f7f202
@0x416e746f6e
chore: disable root-login
95f669e
@0x416e746f6e
chore: switch to .chroot scripts
afdb134
@0x416e746f6e
chore: remove redundant code
36bb7a6
@0x416e746f6e
fix: revert to 500MiB
a624a27 
measured boot scripts are hardcoded at that size
@0x416e746f6e
fix: remove redundant systemctl enable
265f891
@0x416e746f6e
fix: move set-host script under l2
da3446b
@0x416e746f6e
review: drop time
b5f3ef1
@0x416e746f6e
feat: add artifact sizes to build manifest
325161a
@0x416e746f6e
review: remove redundant config
e4de2a1
@0x416e746f6e
chore: remove redundant systemctl enable
ab71b5b
@0x416e746f6e
review: resolve internal domains via nic's dns
46ee01d
@alexhulbert
Switch to authorized keys for image login
d0d8a17
@alexhulbert alexhulbert mentioned this pull request Mar 18, 2026
Merged
@0x416e746f6e
Copy link
Member

0x416e746f6e commented Mar 18, 2026

To make this injection easier, the PR also allows you to add an authorized_keys file to mkosi.profiles/devtools

I think this breaks reproducibility of the build.

@alexhulbert
Copy link
Member Author

alexhulbert commented Mar 18, 2026

@0x416e746f6e It doesn't break reproducibility since it only injects the key into dev images, similar to how the Yocto tooling worked.

@0x416e746f6e
Copy link
Member

0x416e746f6e commented Mar 19, 2026
edited
Loading

It doesn't break reproducibility since it only injects the key into dev images, similar to how the Yocto tooling worked.

i.d.k. whether how yocto worked holds an argument here. but dev images are also images, and injecting arbitrary files into them at build-time will cause them to be different from one another, hence will break reproducibility. throwing that away just for the sake of allowing ssh access to the dev VM is too much i.m.o.

there are multiple ways to allow SSH access into dev VMs while still keeping the images reproducibly buildable. l2 is using one of them, but there are definitely others available too.

Base automatically changed from trunk/l2-merge-main to main March 19, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0x416e746f6e 0x416e746f6e Awaiting requested review from 0x416e746f6e

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@alexhulbert @0x416e746f6e @ilyaluk @Melvillian @avalonche @julio4