-
Pl
chevron_right
Maximiliano Sandoval: SSH into GNOME OS running in a sandboxed Boxes VM
news.movim.eu / PlanetGnome • 11 hours ago • 2 minutes
We take advantage of loading systemd system credentials based on smbios type 11 strings and QEMU’s vsock feature . Here is the list of recognized system credentials.
The important bit passing down the following argument to
qemu
$ qemu-system-x86_64
# ...
-device vhost-vsock-pci,guest-cid=$cid \
-smbios type=11,value=io.systemd.credential.binary:ssh.ephemeral-authorized_keys-all=$base64_ssh_key
libvirt allows setting smbios11 as
<oemStrings>
and defining
virtual sockets
.
Under GNOME boxes, go to the VM configuration. The important bit is setting a
smbios
under
os
, adding a
vsock
device and the
sysinfo
domain. E.g.
<domain type="kvm">
<!-- ... other domains -->
<os firmware="efi">
<!-- ... other os info -->
<smbios mode="sysinfo"/>
</os>
<sysinfo type='smbios'>
<oemStrings>
<entry>io.systemd.credential.binary:ssh.ephemeral-authorized_keys-all=$base64_ssh_key</entry>
</oemStrings>
</sysinfo>
<devices>
<!-- ... other devices -->
<vsock model="virtio">
<cid auto="no" address="$cid"/>
</vsock>
</devices>
</domain>
Here
$cid
needs to be replaced by a numerical value bigger than 2 and
$base64_ssh_key
is the base64-encoded public SSH key, we use
$cid=3
here. One can encode a public SSH key via
<~/.ssh/id_ed25519.pub base64 -w0
Ensure you can decode it back before proceeding!!
echo -n "output from above" | base64 -d
Then inside of the VM, verify the smbios 11 key is visible,
$ run0 systemd-analyze smbios11
io.systemd.credential.binary:ssh.ephemeral-authorized_keys-all=$base64_ssh_key…
1 SMBIOS Type #11 strings passed.
on the guest’s journal one should see:
$ run0 journalctl -b -g 'ssh.ephemeral-authorized_keys-all'
Jun 18 00:11:06 gnomeos-11e6-75db systemd[1]: Received regular credentials: ssh.ephemeral-authorized_keys-all
and one can verify it via:
$ run0 systemd-creds --system list
NAME SECURE SIZE PATH
ssh.ephemeral-authorized_keys-all secure 97B /run/credentials/@system/ssh.ephemeral-authorized_keys-all
$ systemd-creds --system cat ssh.ephemeral-authorized_keys-all
Now that everything is set, and the
sshd
service is running inside the VM:
systemctl enable --now sshd.service
one can ssh into the VM via:
ssh $user@vsock/$cid
where
$user
is the username inside of the VM and
$cid
as above, in my example:
ssh msandova@vsock/3
This requires systemd-ssh-proxy on the host, should be included in v257 or newer.
Note that
scp
has a slightly different syntax, e.g.
scp $FILES msandova@vsock%3:$PATH