Ubuntu core image with pre configured login

Hi, I was wondering if building my own image would also let me skip the configuration phase of ubuntu core. This post says it should work.

When I try to SSH into the device with my image, though, I get a password prompt. Is there a way to skip the configuration phase from an image created via ubuntu-image?

Using:

  • model: ubuntu-core-18-pi-arm64
  • kernel: pi-kernel=18-pi
  • gadget: pi=18-pi

Slightly related question: can you also define some snap connections to be made in the image model?

With a recent version of ubuntu-image, you can use the --disable-console-conf option to turn off console-conf which then means the prompt to create a user is disabled and the device will not allow new users to be created.

If you still want to seed your own user into the image, you can create a system-user assertion for this task. See https://core.docs.ubuntu.com/en/guides/manage-devices/

Not yet, but that is something we are exploring

Hey, thanks for the answers.

From what i read, the closest you can get to automation is having a usb-stick with auto-import.assert that will setup a system user, right?

Yep. A USB stick, or some other block device that shows up in /sys/block/$dev with removable set to 1.

The assetions in the auto-import.assert file need to either be signed by the same key as the model definition, or a key defined in the system-user-authority list from the model definition.

if you have a brand store you can also use an “agent” or “config” snap that uses the snapd-control interface … that snap can then talk to the snapd API and create users via POST requests:

https://forum.snapcraft.io/#heading--users

So, I tried out the USB stick, and it seemed to have worked, as on the screen it says to login: ssh my-name@ip

But, when i try that, i get a password prompt, wile I only added my ssh-key when running make-system-user.

Was the ssh public key part of the assertion you loaded?

Here’s a system-user assertion I used for something I was testing:

As it only includes a password, the created account only supports password authentication. If it also included a ssh-keys section, then it would also support ssh public key auth.

Hi james,

It generated a whole lot more for me, 3 types: “account”, “account-key”, and “system-user”.

Under system-user type, there is my ssh key: (edit, found out i had to use single quotes, didn’t help though).

ssh-keys:
  - ssh-rsa AAAAB3NzaC......== bart@laptop

No password to be found.

In your model assertion for the device, what is the system-user-authority key set to ?

Both authority-id and brand-id are set to my account id (as per " The simplest case" in https://core.docs.ubuntu.com/en/guides/manage-devices), I don’t have system-user-authority set.

Try setting system-user-authority to your account ID

Well, that did the trick =]

Didn’t think that’d be necessary, is that a fault in the docs, or a bug in the system to set the system user?

The extra assertions are fine. They shouldn’t be necessary if you’re signing the system-user assertion with the same key as the model assertion, but it shouldn’t hurt to include them.

If the account is correctly being created, perhaps try including a password in your assertion, and then see what gets placed in ~/.ssh/authorized_keys when you log in as the user?

I didn’t need to set system-user-authority for the model in my testing when using the same authority/key for both assertions. That shouldn’t be necessary.

1 Like

The system-user-authority when not specified defaults to the brand-id IIUC, so it is possible that it’s not necessary here, but it seems to have made it work for @bart

If i do both, the ssh key is not even added to auto-import.assert. I guess I could have a look at .ssh/authorized by taking out the sd card (doing this on raspi) after it has made the system user with ssh key, and reading it at my laptop.

Well well well, it just worked this time…
Maybe it was my fault with the quotes around the ssh-key, and that I didn’t actually put the correct version on the USB stick or so?

Anyway, thanks a lot for all the help!

Hi, I always set system-user-authority to ‘*’ when creating an image.

Is it necessary to add my ID under it? Or can i leave it as ‘*’?

Is there is security issue if i leave it as ‘*’?

As described in the Ubuntu Core docs, configuring a device with system-user-authority: * means anyone with a Snap developer account can sign system-user assertions that will be accepted by the device.

In practice that means if I’ve got physical access to the device, I’ll be able to add a system user to the system by plugging in a USB thumb drive or similar. This might be desirable if the device owner is the only one with physical access and is different from whoever signed the model definition. If that’s not the case, you probably want to limit who can create users.

Hi @jamesh,

I will be adding system users through snapd rest api. Where I just provide the email address. So If i add my id under system-user-authority, only my email id will be able to create a system user right?

But When you plug in the usb drive with the system user assertion, does it automatically create the system user?

Or does there need to be an application which can take this file from the usb to create the system user?