CoreOS live and persistent SSH host keys

Ask Fedora
,
1

I managed to run Fedora CoreOS via iPXE directly from RAM, without installing it on the local disk.
I configure a couple of things by using Ignition, like data persistence for the containers directory and home, etc. by following the documentation.

Great. I’m satisfied.

Obviously, at each reboot, as stated also in the docs, Fedora CoreOS live environment does not store any state on disk, and is reprovisioned from scratch on every boot. That’s fine.
The only annoyance I’m still unable to avoid are ssh host keys: on each reboot, new server keys are generated.
I tried to place the corresponding files using ignition

storage:
- path: /etc/ssh/ssh_host_ecdsa_key.pub
      mode: 0644
      overwrite: true
      contents:
        local: /ssh/ssh_host_ecdsa_key.pub
...

Indeed it looks like these files are successfully put in place.

Jan 25 05:29:54 ignition[1146]: files: createFilesystemsFiles: createFiles: op(a): [finished] writing file "/sysroot/etc/ssh/ssh_host_ecdsa_key"

Apart tinkering with systemd or the like, does CoreOS already provides a way to manage SSH host keys in a scenario like a live environment? Or in any case, a way to provide these files.

1 Like
2

Nice to meet you PXE aficionado !
I agree with you, I did a lot of “crash and learn” with live env. and ssh server fingerprints are still waiting …
As you can imagine, this post is to stay in touch with any solutions …
Cheers

1 Like
3

You might try using a data-url for the pubkey content:

4

Thank you @vwbusguy, but the butane file (the snippet in my post) is actually translated to ignition syntax (by butane --pretty --strict example.bu > example.ign) in the data URL scheme that you are suggesting.

      {
        "overwrite": true,
        "path": "/etc/ssh/ssh_host_ecdsa_key.pub",
        "contents": {
          "compression": "",
          "source": "data:,ecdsa-sha2-nistp256%20AAAAE2VjZHNhLXNoYT..."
        },
        "mode": 420
      },
5

Whoops.
It works.
I figured out that for the ecdsa_key I was writing only the pub file and not the key one :man_facepalming:
So this works:

...
storage:
  files:
    - path: /etc/ssh/ssh_host_ecdsa_key
      mode: 0600
      overwrite: true
      contents:
        local: /ssh/ssh_host_ecdsa_key
    - path: /etc/ssh/ssh_host_ecdsa_key.pub
      mode: 0644
      overwrite: true
      contents:
        local: /ssh/ssh_host_ecdsa_key.pub
    - path: /etc/ssh/ssh_host_ecdsa_key
      mode: 0600
      overwrite: true
      contents:
        local: /ssh/ssh_host_ecdsa_key
    - path: /etc/ssh/ssh_host_ecdsa_key.pub
      mode: 0644
      overwrite: true
      contents:
        local: /ssh/ssh_host_ecdsa_key.pub
    - path: /etc/ssh/ssh_host_ed25519_key
      mode: 0600
      overwrite: true
      contents:
        local: /ssh/ssh_host_ed25519_key
    - path: /etc/ssh/ssh_host_ed25519_key.pub
      mode: 0644
      overwrite: true
      contents:
        local: /ssh/ssh_host_ed25519_key.pub
    - path: /etc/ssh/ssh_host_rsa_key
      mode: 0600
      overwrite: true
      contents:
        local: /ssh/ssh_host_rsa_key
    - path: /etc/ssh/ssh_host_rsa_key.pub
      mode: 0644
      overwrite: true
      contents:
        local: /ssh/ssh_host_rsa_key.pub
...

For completeness.
Generate the host key files (ecdsa, ed25519 and rsa) in a subdirectory where you have the butane file.

for type in ecdsa ed25519 rsa; do ssh-keygen -q -N "" -t ${type} -f ssh/ssh_host_${type}_key; done

Convert the butane file to ignition syntax, using the --files-dir option

butane --files-dir . --pretty --strict example.bu > example.ign