Ssh-read personal-files request for jhack

ppasotti · January 26, 2023, 2:33pm

Hi all, yet another personal-files request for jhack.

Jhack is going to need read access to ~/.ssh in order to be able to run juju ssh on LXD models.

  ssh-read:
    interface: personal-files
    read:
      - $HOME/.ssh

See the issue: https://github.com/PietroPasotti/jhack/issues/46 and the solution proposed and tester by the one who found the problem: https://github.com/Maharacha/jhack/commit/5ef6a0183ddcc90db4fde98f0c1f8759c5a1b1d3

Given the sensitive nature of the data, I’m fine if this is not autoconnect-enabled.

ogra · January 26, 2023, 3:24pm

are the existing ssh-public-keys or ssh-keys snap interfaces not suitable for this ?

ppasotti · January 26, 2023, 3:30pm

Uh. Didn’t know they existed. I find it hard to guess what already has an interface and what requires a custom personal-files one.

Anyway, the juju snap appears to use ssh-keys. Will give it a try with that one and see if it’s sufficient.

Thanks for the tip!

ogra · January 26, 2023, 3:33pm

to find existing interfaces, there is an overview at:

ppasotti · January 26, 2023, 3:43pm

yeah I was aware of that. The question is more: my snap needs (read/write?) access to /this/path. Is there an interface that provides it? How do I find that interface?

ogra · January 26, 2023, 3:51pm

ah, there are two ways:

you simply install the snappy-debug snap and run it alongside of your app, it will print interface suggestions for all DENIED messages that appear when your app tries to access the dirs …

…or you could clone the snapd source and grep through the interfaces/builtin directory, permitted filesystem locations are usually explicitly mentioned in the code or at least have a regex that starts with the toplevel dir:

ppasotti · January 31, 2023, 10:49am

Come to think of it, it would be handy if this interface were autoconnect-enabled. Does it qualify?

alexmurray · February 22, 2023, 6:08am

Yes it is possible to get a store declaration to auto-connect ssh-keys - can you please provide some justification on why this is needed and in particular why auto-connect is appropriate?

ppasotti · March 3, 2023, 8:50am

It seems to be what people expect:

alexmurray · March 8, 2023, 12:41pm

So from the linked thread I can only see one user suggesting this - I wonder if it would be possible that when trying to use jhack for ssh, whether jhack could first detect if ssh-keys is connected via snapctl is-connected ssh-keys and if not then it could ask the user if they wish to connect it first?

pfsmorigo · March 16, 2023, 8:11pm

@ppasotti - ping, can you please provide the requested information?

ppasotti · March 17, 2023, 8:19am

Ah, sorry, missed the notification. So what @alexmurray suggests could ‘work’, but

it complicates the implementation
jhack wraps effectively the local juju client, so the reasonable expectation is that it has all access that the juju snap has. Seeing juju ssh work, but jhack-generated ‘juju ssh’ commands fail is unexpected. Forcing users to go through one more step to provide that access seems unnecessary.