Configuring a VM for SSHing Out
In my previous post on running simulations in a VM, Simulations in the Cloud, I suggested using this syntax for fetching a secure remote bzr repository:
bzr branch sftp://sshuser:firstname.lastname@example.org/path
I wasn’t all that happy with this, but it did work, at least at first. However, now something has been tightened up and this method does not read the ssh password from the command. In any event, it wasn’t a great way to handle this.
Here is a better way. More robust, more general. It uses SSH keys rather than your SSH password. I’m assuming you have a private WebDAV location. Note that unless you use https to connect to the WebDAV, your information won’t be encrypted so this is not a highly secure method. You need to do your own risk analysis and decide for yourself whether this is appropriate for you. I’d suggest having a dedicated user account just containing the code and data needed for this technique, so that if your account were to be compromised it wouldn’t mean someone having access to everything.
Here is a diagram showing the steps we need to take.
- Create a key pair, install the public key in authorized_keys. Move or copy the private key to your private WebDAV storage.
- When you create your VM, copy the private key to the .ssh directory.
- Now that you have SSH credentials, you can fetch your private code or data from the SSH storage. You could do this directly via scp, or by using an ssh-based protocol built in to your version control system.
As in the previous post, you can store your WebDAV username and password in a
cat <<EOF > ~/.netrc machine dav.ananelson.com login temp password passw0rd EOF
Then, assuming your private key is stored in this WebDAV, you can fetch it using
echo "get id_rsa" | cadaver http://dav.ananelson.com/webdav chmod 0400 id_rsa mkdir ~/.ssh/ mv id_rsa ~/.ssh/
So, you have now installed your SSH credentials on your Virtual Machine. However, if you try to connect via SSH in a script now, it’ll probably fail because your server won’t be listed in the known hosts file. The simplest way to fix this is to disable strict host key checking.
cat <<EOF > ~/.ssh/config StrictHostKeyChecking no EOF
Now, a call like this should work:
bzr branch sftp://email@example.com/path/to/bzr-repos/simcode
Here is the whole script. You may notice that I’ve added a
run-models.sh script, this is to make it easier to run models interactively if you wish to after the config script has run.
cat $0 printf "==================================================" printf "\nOutput from running above script:\n\n\n" # Upgrade the system and install developer tools. pacman --noconfirm -Sy pacman pacman --noconfirm -Syu pacman --noconfirm -Sy base-devel # Install cadaver for WebDAV. pacman --noconfirm -Sy cadaver ### @export "netrc" cat <<EOF > ~/.netrc machine dav.ananelson.com login temp password passw0rd EOF ### @end # Install language and language packaging system. pacman --noconfirm -Sy python curl -O http://pypi.python.org/packages/2.6/s/setuptools/setuptools-0.6c11-py2.6.egg bash setuptools-0.6c11-py2.6.egg # Install bazaar. easy_install pyrex easy_install bzr easy_install paramiko ### @export "fetch-private-key" echo "get id_rsa" | cadaver http://dav.ananelson.com/webdav chmod 0400 id_rsa mkdir ~/.ssh/ mv id_rsa ~/.ssh/ ### @export "disable-strict" cat <<EOF > ~/.ssh/config StrictHostKeyChecking no EOF ### @export "fetch-repo" bzr branch sftp://firstname.lastname@example.org/path/to/bzr-repos/simcode ### @end echo "get run_models.sh" | cadaver http://dav.ananelson.com/webdav bash `dirname $0`/run-models.sh