Not able to login using SSH with new auto-import.assert file

@ogra
Hi,
I am getting a Permission Denied error while connecting to the system with SSH.
It was observed that system-user included in auto-import.assert file has date until: 2020-07-08T05

So now I have created new auto-import.assert file using make-system-user and same key that is registered with snapraft and which was for generating the previous assert file.

However with the new auto-import.assert file also I am not able to login and get permission denied error messages.

  • Is there any expiry date for keys registered with snapcraft?
  • Do we have to use a new set of keys when the system-user expires after 1 year?
  • What is the best approach in this situation?

Thanks ,
Smita

The system-user assertion has an until field that you can manually set if you sign the system-user assertion yourself, perhaps make-system-user should allow setting the until field for the assertion from the options there if you need it to last longer.

CC @kyleN

1 Like

Yes, adding support for the until field is on my list. Thanks.

1 Like

@ijohnson,
Thanks for your feedback.
As suggested myself as well my collogue ( one who had created original assert file) tried changing the until field of assert file manually. But it does not work. We still get permission denied error.

  • Is there any expiry date for keys registered with snapcraft? How can one find out if keys are still valid?
    Regards,
    Smita

You can’t change the .assert file directly, you have to change the json document that is signed, then re-sign it.

I don’t 100% remember the details of snapcraft’s keys that it creates via snapcraft create-key, but I don’t think any of those keys expire. However, the things that those keys are used to sign, such as system-user assertions do expire and the expiration is controlled by the until field in the document that is signed by snap sign. Until make-system-user is updated to allow an until option, you can manually create the system-user assertion with a script like this one I just wrote: https://gist.github.com/anonymouse64/cc550d1cbb51b67847c2a2ef3fdbe01b

You can use it like so:

$ echo '{
    "type": "system-user",
    "authority-id": "account-id",
    "series": ["16"],
    "brand-id": "account-id",
    "email": "your-email@launchpad.net",
    "models": ["model-name"],
    "name": "user user",
    "username": "the-user",
    "password": "blahblahblah",
    "since": "2020-05-16T18:06:04+00:00",
    "until": "2064-05-16T18:06:04+00:00"
}
' | sign-system-user-assertion your-key-name

Rev 19 of make-system-user (amd64) now has the --until field:

$ make-system-user -b myaccountid -u kitty -p mykittypassword -m mycat -k mykittykey --until "2020:10:24"
Done. You may copy auto-import.assert to a USB stick and insert it into an unmanaged Core system, after which you can log in [ . . . ] 
1 Like