From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 20 Mar 2023 16:33:15 +0000 (+0100)
Subject: SSH fixes
X-Git-Tag: v15~285^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1401%2Fhead;p=thirdparty%2Fmkosi.git

SSH fixes

- Disable UsePAM to avoid a slow reverse DNS lookup
- Pass environ when runnning ssh to pass SSH_AUTH_SOCK
- Don't use a random CID, instead hash the machine name and take
the first 4 bytes as the CID
- Pull in sshd-keygen.target so the ssh key gets generated on boot.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 5281f2761..bf59d26ea 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -14,7 +14,6 @@ import itertools
 import json
 import os
 import platform
-import random
 import re
 import resource
 import shlex
@@ -2886,11 +2885,11 @@ def configure_ssh(state: MkosiState) -> None:
             [Unit]
             Description=Mkosi SSH Server VSock Socket
             ConditionVirtualization=!container
+            Wants=sshd-keygen.target
 
             [Socket]
             ListenStream=vsock::22
             Accept=yes
-            Service=ssh@.service
 
             [Install]
             WantedBy=sockets.target
@@ -2903,9 +2902,12 @@ def configure_ssh(state: MkosiState) -> None:
             """\
             [Unit]
             Description=Mkosi SSH Server
+            After=sshd-keygen.target
 
             [Service]
-            ExecStart=sshd -i
+            # We disable PAM because of an openssh-server bug where it sets PAM_RHOST=UNKNOWN when -i is used
+            # causing a very slow reverse DNS lookup by pam.
+            ExecStart=sshd -i -o UsePAM=no
             StandardInput=socket
             RuntimeDirectoryPreserve=yes
             """
@@ -3350,6 +3352,10 @@ def machine_name(config: MkosiConfig) -> str:
     return config.hostname or config.image_id or config.output.with_suffix("").name.partition("_")[0]
 
 
+def machine_cid(config: MkosiConfig) -> int:
+    cid = int.from_bytes(hashlib.sha256(machine_name(config).encode()).digest()[:4], byteorder='little')
+    # Make sure we don't return any of the well-known CIDs.
+    return max(3, min(cid, 0xFFFFFFFF - 1))
 
 
 def nspawn_knows_arg(arg: str) -> bool:
@@ -3585,7 +3591,7 @@ def run_qemu(config: MkosiConfig) -> None:
 
     try:
         os.open("/dev/vhost-vsock", os.R_OK|os.W_OK)
-        cmdline += ["-device", f"vhost-vsock-pci,guest-cid={random.randrange(100, 0xFFFFFFFF)}"]
+        cmdline += ["-device", f"vhost-vsock-pci,guest-cid={machine_cid(config)}"]
     except OSError as e:
         if e.errno == errno.ENOENT:
             warn("/dev/vhost-vsock not found. Not adding a vsock device to the virtual machine.")
@@ -3682,13 +3688,13 @@ def run_ssh(config: MkosiConfig) -> None:
         "-o", "UserKnownHostsFile=/dev/null",
         "-o", "StrictHostKeyChecking=no",
         "-o", "LogLevel=ERROR",
-        "-o", "ProxyCommand=socat - VSOCK-CONNECT:3:%p",
+        "-o", f"ProxyCommand=socat - VSOCK-CONNECT:{machine_cid(config)}:%p",
         "root@mkosi",
     ]
 
     cmd += config.cmdline
 
-    run(cmd)
+    run(cmd, env=os.environ)
 
 
 def run_serve(config: MkosiConfig) -> None: