From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 20 Dec 2024 11:35:06 +0000 (+0100)
Subject: Run ssh and ssh-keygen as fake root
X-Git-Tag: v25~101^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3291%2Fhead;p=thirdparty%2Fmkosi.git

Run ssh and ssh-keygen as fake root

We can't always resolve the current user in the sandbox which ssh
insists on being able to do so let's become root which is always
resolvable.
---

diff --git a/mkosi/qemu.py b/mkosi/qemu.py
index ea993e9b6..f17620bf8 100644
--- a/mkosi/qemu.py
+++ b/mkosi/qemu.py
@@ -860,8 +860,9 @@ def finalize_credentials(config: Config) -> dict[str, str]:
                 ["ssh-keygen", "-f", "/dev/stdin", "-i", "-m", "PKCS8"],
                 input=pubkey,
                 stdout=subprocess.PIPE,
-                # ssh-keygen needs to be able to resolve the current user.
-                sandbox=config.sandbox(options=["--ro-bind", "/etc", "/etc", "--ro-bind", "/run", "/run"]),
+                # ssh-keygen insists on being able to resolve the current user which doesn't always work
+                # (think sssd or similar) so let's switch to root which is always resolvable.
+                sandbox=config.sandbox(options=["--become-root", "--ro-bind", "/etc/passwd", "/etc/passwd"]),
             ).stdout.strip()
             creds["ssh.authorized_keys.root"] = sshpubkey
         elif config.ssh:
@@ -1459,6 +1460,8 @@ def run_ssh(args: Args, config: Config) -> None:
             network=True,
             devices=True,
             relaxed=True,
-            options=["--same-dir"],
+            # ssh insists on being able to resolve the current user which doesn't always work (think sssd or
+            # similar) so let's switch to root which is always resolvable.
+            options=["--same-dir", "--become-root"],
         ),
     )