CODEWITHSUNDEEP
ignitionfedora-coreos
tukusejssirs
tukusejssirs

Reputation: 854

How to make local password authentication work on Fedora CoreOS?

What I want

  1. I have to be able to log in via password as any user (root or other users) when I access the machine locally (either accessing the computer physically/KVM, or via hypervisor console in case of a VM).
  2. When accessing the machine via SSH, only pubkey access should be allowed only for non-root users (root log in via SSH should be disabled).

Problem definition

After configuring Fedora CoreOS via Ignition, I bring the machine up in VirtualBox (used for testing purposes only), however:

What have I tried

I have created a script that I used for development. Do you see anything wrong with it? :pray:

Here is the official FCOS documentation regarding password authentication configuration.

#!/usr/bin/env bash

# Dependencies:
# - Docker;
# - VirtualBox;
# - GNU `grep`;
# - GNU `sed`;
# - `coreutils` (for `basename`, `cat`, `chmod`, `dirname`, `mkdir`, `realpath`);
# - `curl`;
# - `iproute` (for `ip` command);
# - `openssh`;
# - `openssh-client`.


# Constants
docker_project_name='fcos_ign_server'
nginx_port=8888
non_root_user_pass='testpassword'
non_root_username='testuser'
root_pass='rootpassword'
ssh_port=3333
vm_name='fcos'

# Variables
root_path="$(realpath "$(dirname "$0")")/$vm_name"
fedora_coreos_image_url='https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/38.20230709.3.0/x86_64/fedora-coreos-38.20230709.3.0-virtualbox.x86_64.ova'
fedora_coreos_image_basename="$(basename "$fedora_coreos_image_url")"
fedora_coreos_image_path="$root_path/$fedora_coreos_image_basename"
bu_path="$root_path/config.bu"
compose_path="$root_path/compose.yml"
host_ip_address="$(ip a show wlp0s20f3 | grep -Po 'inet \K[^/]+')"
ign_path="$root_path/config.ign"
nginx_config="$root_path/nginx.conf"
ssh_private_key_path="$HOME/.ssh/$non_root_username@${vm_name}_$USER@$HOSTNAME"

# Make sure the config folder exists
mkdir -p "$root_path"

# Download Fedora CoreOS for VirtualBox
if [ ! -e "$fedora_coreos_image_path" ]; then
  curl -o "$fedora_coreos_image_path" "$fedora_coreos_image_url"
fi

# Hash the passwords
# Note: I have tried generating a password hash using `yescrypt` and without it.
# root_pass_hash="$(docker run --rm quay.io/coreos/mkpasswd -sm yescrypt <<< "$root_pass")"
# non_root_pass_hash="$(docker run --rm quay.io/coreos/mkpasswd -sm yescrypt <<< "$non_root_user_pass")"
root_pass_hash="$(docker run --rm quay.io/coreos/mkpasswd -s <<< "$root_pass")"
non_root_pass_hash="$(docker run --rm quay.io/coreos/mkpasswd -s <<< "$non_root_user_pass")"

# Generate a new SSH key pair
if [ ! -f "$ssh_private_key_path" ]; then
  ssh-keygen -t ed25519 -a 100 -P '' -f "$ssh_private_key_path"
  chmod 600 "$ssh_private_key_path"
fi

# Create a Butan config
cat << EOF > "$bu_path"
variant: fcos
version: 1.4.0
passwd:
  users:
    - name: $non_root_username
      groups:
        - docker
        - systemd-journal
        - sudo
      password_hash: $non_root_pass_hash
      ssh_authorized_keys:
        - $(cat "${ssh_private_key_path}.pub")
    - name: root
      password_hash: $root_pass_hash
storage:
  disks:
  - device: /dev/disk/by-id/coreos-boot-disk
    wipe_table: false
    partitions:
    - number: 4
      label: root
      # Allocate at least 8 GiB to the rootfs. See NOTE above about this.
      size_mib: 8192
      resize: true
    - size_mib: 0
      # We assign a descriptive label to the partition. This is important
      # for referring to it in a device-agnostic way in other parts of the
      # configuration.
      label: controlserver
  files:
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: controlserver
  filesystems:
    - path: /var/controlserver
      device: /dev/disk/by-partlabel/controlserver
      # We can select the filesystem we'd like.
      format: ext4
      with_mount_unit: true
EOF

# Convert the Butane config to Ignition
docker run -i --rm quay.io/coreos/butane:release --strict < "$bu_path" > "$ign_path"

# Create slim Butane config
cat << EOF > "$(dirname "$bu_path")/slim_$(basename "$bu_path")"
variant: fcos
version: 1.4.0
ignition:
  config:
    replace:
      source: http://$host_ip_address:$nginx_port/config.ign
EOF

# Convert the slim Butane config to Ignition
docker run -i --rm quay.io/coreos/butane:release --strict < "$(dirname "$bu_path")/slim_$(basename "$bu_path")" > "$(dirname "$ign_path")/slim_$(basename "$ign_path")"

# Create Nginx config
cat << EOF > "$nginx_config"
server {
  listen $nginx_port;
  server_name _;

  location / {
    root /srv;
    # Activate the next line if you want to list files
    autoindex on;
  }
}
EOF

# Create Docker Compose file
cat << EOF > "$compose_path"
version: '3.8'

services:
  server:
    image: nginx:alpine
    restart: always
    ports:
      - 0.0.0.0:$nginx_port:$nginx_port
    volumes:
      - ./config.ign:/srv/config.ign:ro
      - ./nginx.conf:/etc/nginx/conf.d/default.conf
EOF

# Create an Nginx proxy server to host the slim Ignition config
docker compose -f "$compose_path" -p "$docker_project_name" up -d

# Stop the VM
VBoxManage controlvm "$vm_name" poweroff

# Remove the VM
VBoxManage unregistervm "$vm_name" --delete

# Remove the VM from SSH `known_hosts`
sed -i "/^\[localhost\]:$ssh_port/d" ~/.ssh/known_hosts

# Import the image into VirtualBox
VBoxManage import --vsys 0 --vmname "$vm_name" "$fedora_coreos_image_path"

# Set Ignition config as VB variable
VBoxManage guestproperty set "$vm_name" /Ignition/Config "$(cat "$(dirname "$ign_path")/slim_$(basename "$ign_path")")"

# Allow SSH connection to the VM
VBoxManage modifyvm "$vm_name" --natpf1 "guestssh,tcp,,$ssh_port,,22"

# Start the VM
VBoxHeadless -startvm "$vm_name" &> /dev/null & disown

# Connect to the VM via SSH
ssh -p "$ssh_port" -i "$ssh_private_key_path" "$non_root_username@localhost"

Upvotes: 1

Views: 632

Answers (0)

Related Questions