Auto connect request for ssh-keys in juju snap

wallyworld · October 25, 2022, 12:55pm

The Juju 3 snap currently uses the ssh-public-keys interface. However, it needs to access the user’s private key in order to ssh into machines that have been provisioned, as well as machines managed by the user which need to be manually enrolled.

github.com

juju/juju/blob/3.0/snap/snapcraft.yaml#L39


apps:
  juju:
    environment:
      # Make sure we access snap binaries first (i.e. juju-metadata lp:1759013)
      PATH: "$SNAP/bin:$SNAP/usr/bin:/snap/bin:$PATH"
    command: bin/juju
    plugs:
      - network
      - network-bind
      - ssh-keys
      - lxd
      # Needed so that juju can still use the real ~/.local/share/juju.
      - dot-local-share-juju
      # Needed to read lxd config.
      - config-lxd
      # Needed to read ~/.kube, ~/.novarc, ~/.aws etc.
      - dot-aws
      - dot-azure
      - dot-google
      - dot-kubernetes

The Juju 3.0/edge snap has been built with the updated interface.

The classic Juju 2 snap has the same functionality.

alexmurray · October 26, 2022, 6:06am

+1 from me for use of ssh-keys for juju as this is a standard workflow for the snap. Regarding auto-connect, since this is a very privileged interface, I think this would only be appropriate if this is not just a standard workflow but the most likely / most used workflow. Can you help me understand this aspect? Thanks.

wallyworld · October 26, 2022, 7:03am

The aim is to maintain functional parity between the classic juju 2.9 CLI and the new strictly confined juju 3.0 CLI.

The main use cases:

juju CLI ssh and scp operations on machines provisioned by juju
juju CLI ssh access to existing machines managed by the user to manually enroll them

Under the covers juju uses the Go SSH client APIs golang.org/x/crypto/ssh.

Case 1 covers Juju CLI commands like juju ssh and juju scp as well as juju exec. When juju provisions a machine, it adds the user’s public key to the authorised keys list on the provisioned machine to allow subsequent ssh access via the Juju CLI.

Case 2 is for the juju add-machine command where the user wants to take an existing machine and add it to the juju model - juju needs to add provisioning scripts to the machine. The user will already have ssh access to the machine.

The juju add-machine command does have a --private-key option where you can use a private key located elsewhere, but with the strict snap, the user would be forced to copy their private key to somewhere under $home that the snap could access, which is not ideal.

alexmurray · October 26, 2022, 7:07am

Ok thanks for the extra info - juju ssh and juju scp seem to be primary operations for juju so I don’t think users would be surprised that it would then have access to their SSH private keys.

As such +1 from me for auto-connect of ssh-keys for juju. Can other @reviewers please vote too?

emitorino · October 26, 2022, 7:31am

+1 from me as well for auto-connect ssh-keys to juju since its clearly required to perform ssh operations and maintain functional parity with the classic juju snap. +2 votes for, 0 votes against, this is now live.

@wallyworld I did not see the latest revision in the store already plugging ssh-keys but I went ahead and grant it manually. Please let me know if you experience any issue when you add this to the snap.

Maybe it would be great if the juju snap description can detail the privileged iface auto-connections it was granted (this and lxd at least) so users are aware.

wallyworld · October 26, 2022, 9:00am

Thank you.

The 3.0/edge snap has the ssk-keys plug (latest is still 2.9).

We’ll be sure to update the snap description

emitorino · October 26, 2022, 9:46am

Ah ok, I believe we only see the latest.

Thanks!