authenticates with the store (for publishing snaps in the store)
allows registring snap names
uploading and releasing snaps to the store
and other snap building and releasing functions
These “logins” are independent of each other. The snap login only allows to “consume” snaps that are already released in the store. To release or modify anything within the store, you have to use snapcraft and snapcraft login.
Over the years, I also have set up multiple Ubuntu Core 18 and 20 devices using the “prebuild” images provided by Canonical [1] in the following way:
flash the image onto the device
boot up the device
enter my email address during setup to fetch and install my SSH key automatically
SSH into the device
install and configure the necessary snaps
give the device to a third party
As this process never asks for my Ubuntu One password, I thought this only fetches the SSH keys and creates a local user named the same as my Ubuntu One username. The SSH key and the Ubuntu One username are both publicly available information on Launchpad.
However, I recently stumbled across a post within this forum (I think it was by Oliver Grawert) stating that setting up an Ubuntu Core device this way also logs you into the snap command as if you would manually call snap login.
This appears to be true. I verified it on one of my Ubuntu Core devices by running snap whoami and checking whether ~/.snap/auth.json exists.
Now, this makes me wonder:
How can I be authenticated with the snap store on these devices when I never entered any credentials? The only thing I can think of would be some authentication using the private SSH key on my workstation when I connected to the device over SSH the first time. But I do not see how this could work.
As I have given these devices to others, should I be concerned that my account is compromised?
Can the credentials within ~/.snap/auth.json be used to authenticate with snapcraft?
I have to say I am surprised by the behavior on Ubuntu Core, as there is no further notice or warning at or after the email prompt.
the ssh key that is downloadable on launchpad is only the pubkey, the private part is (hopefully) on your local disk only, so your users wont be able to use this to log in (unless you distribute the private key along with the images), but you ship with a backdoor only you can use (indeed, if you desire exactly this (i.e. because you are the sole admin of all these devices) that is the way to go).
the correct approach when wanting to allow the users to ssh into the devices themselves would be to actually create your own images with snaps you need pre-installed from the store through the model assertion and leave the configuration to the final end-user (which indeed means they need to create an SSO account first).
Of course, the SSH private key is only located on my workstation.
However, I still don’t understand why I need to enter a password when calling snap login manually, but I am logged in to the snap command on a Ubuntu Core device without ever entering a password.
As a side note: I recently activated two-factor authentication for my Ubuntu One account.
Maybe I misunderstood you, but running snap login on my workstation always asks for an email and a password, even when two-factor authentication is disabled.
I additionally did some digging into whether there are any differences between manually calling snap login and the automatic login of the snap command on an Ubuntu Core device:
After manually calling snap login on my workstation, I can install private snaps from the store. This is what I expected.
But trying to install a private snap on an Ubuntu Core device fails with an error message saying
error: snap "[name]" not found. The same error message was printed on my workstation when I did not sign in to the snap command.
Because of this, I think there is a difference, and the Ubuntu Core setup (I believe it is called console-conf) does not authenticate to the store but only to snapd locally.
Is this correct, and is it documented anywhere?
My initial confusion was caused by thinking that the Ubuntu Core setup somehow authenticated to the store without ever asking for a password, and therefore the device has access to my account. This is not the case, correct?
I presume that manually calling snap logout and then snap login on the Ubuntu Core device would authenticate with the store and allow to install private snaps on the machine.
