http://ananelson.com/s/

Configuring a VM for SSHing Out

In my previous post on running simulations in a VM, Simulations in the Cloud, I suggested using this syntax for fetching a secure remote bzr repository:

 bzr branch sftp://sshuser:sshpassword@example.com/path


I wasn’t all that happy with this, but it did work, at least at first. However, now something has been tightened up and this method does not read the ssh password from the command. In any event, it wasn’t a great way to handle this.

Here is a better way. More robust, more general. It uses SSH keys rather than your SSH password. I’m assuming you have a private WebDAV location. Note that unless you use https to connect to the WebDAV, your information won’t be encrypted so this is not a highly secure method. You need to do your own risk analysis and decide for yourself whether this is appropriate for you. I’d suggest having a dedicated user account just containing the code and data needed for this technique, so that if your account were to be compromised it wouldn’t mean someone having access to everything.

Here is a diagram showing the steps we need to take.

  1. Create a key pair, install the public key in authorized_keys. Move or copy the private key to your private WebDAV storage.
  2. When you create your VM, copy the private key to the .ssh directory.
  3. Now that you have SSH credentials, you can fetch your private code or data from the SSH storage. You could do this directly via scp, or by using an ssh-based protocol built in to your version control system.

As in the previous post, you can store your WebDAV username and password in a .netrc file:

cat <<EOF > ~/.netrc
machine dav.ananelson.com
login temp
password passw0rd
EOF


Then, assuming your private key is stored in this WebDAV, you can fetch it using cadaver:

echo "get id_rsa" | cadaver http://dav.ananelson.com/webdav
chmod 0400 id_rsa
mkdir ~/.ssh/
mv id_rsa ~/.ssh/


So, you have now installed your SSH credentials on your Virtual Machine. However, if you try to connect via SSH in a script now, it’ll probably fail because your server won’t be listed in the known hosts file. The simplest way to fix this is to disable strict host key checking.

cat <<EOF > ~/.ssh/config
StrictHostKeyChecking no
EOF


Now, a call like this should work:

bzr branch sftp://sshuser@example.com/path/to/bzr-repos/simcode


Here is the whole script. You may notice that I’ve added a run-models.sh script, this is to make it easier to run models interactively if you wish to after the config script has run.

cat $0

printf "=================================================="
printf "\nOutput from running above script:\n\n\n"

# Upgrade the system and install developer tools.
pacman --noconfirm -Sy pacman
pacman --noconfirm -Syu
pacman --noconfirm -Sy base-devel 

# Install cadaver for WebDAV.
pacman --noconfirm -Sy cadaver

### @export "netrc"
cat <<EOF > ~/.netrc
machine dav.ananelson.com
login temp
password passw0rd
EOF
### @end

# Install language and language packaging system.
pacman --noconfirm -Sy python

curl -O http://pypi.python.org/packages/2.6/s/setuptools/setuptools-0.6c11-py2.6.egg
bash setuptools-0.6c11-py2.6.egg

# Install bazaar.
easy_install pyrex
easy_install bzr
easy_install paramiko

### @export "fetch-private-key"
echo "get id_rsa" | cadaver http://dav.ananelson.com/webdav
chmod 0400 id_rsa
mkdir ~/.ssh/
mv id_rsa ~/.ssh/

### @export "disable-strict"
cat <<EOF > ~/.ssh/config
StrictHostKeyChecking no
EOF

### @export "fetch-repo"
bzr branch sftp://sshuser@example.com/path/to/bzr-repos/simcode
### @end

echo "get run_models.sh" | cadaver http://dav.ananelson.com/webdav
bash `dirname $0`/run-models.sh