Auto connect request for ssh-keys in juju snap

The Juju 3 snap currently uses the ssh-public-keys interface. However, it needs to access the user’s private key in order to ssh into machines that have been provisioned, as well as machines managed by the user which need to be manually enrolled.

The Juju 3.0/edge snap has been built with the updated interface.

The classic Juju 2 snap has the same functionality.

+1 from me for use of ssh-keys for juju as this is a standard workflow for the snap. Regarding auto-connect, since this is a very privileged interface, I think this would only be appropriate if this is not just a standard workflow but the most likely / most used workflow. Can you help me understand this aspect? Thanks.

The aim is to maintain functional parity between the classic juju 2.9 CLI and the new strictly confined juju 3.0 CLI.

The main use cases:

  1. juju CLI ssh and scp operations on machines provisioned by juju
  2. juju CLI ssh access to existing machines managed by the user to manually enroll them

Under the covers juju uses the Go SSH client APIs

Case 1 covers Juju CLI commands like juju ssh and juju scp as well as juju exec. When juju provisions a machine, it adds the user’s public key to the authorised keys list on the provisioned machine to allow subsequent ssh access via the Juju CLI.

Case 2 is for the juju add-machine command where the user wants to take an existing machine and add it to the juju model - juju needs to add provisioning scripts to the machine. The user will already have ssh access to the machine.

The juju add-machine command does have a --private-key option where you can use a private key located elsewhere, but with the strict snap, the user would be forced to copy their private key to somewhere under $home that the snap could access, which is not ideal.

Ok thanks for the extra info - juju ssh and juju scp seem to be primary operations for juju so I don’t think users would be surprised that it would then have access to their SSH private keys.

As such +1 from me for auto-connect of ssh-keys for juju. Can other @reviewers please vote too?

+1 from me as well for auto-connect ssh-keys to juju since its clearly required to perform ssh operations and maintain functional parity with the classic juju snap. +2 votes for, 0 votes against, this is now live.

@wallyworld I did not see the latest revision in the store already plugging ssh-keys but I went ahead and grant it manually. Please let me know if you experience any issue when you add this to the snap.

Maybe it would be great if the juju snap description can detail the privileged iface auto-connections it was granted (this and lxd at least) so users are aware.

Thank you.

The 3.0/edge snap has the ssk-keys plug (latest is still 2.9).

We’ll be sure to update the snap description

1 Like

Ah ok, I believe we only see the latest.