Run ssh and ssh-keygen as fake root

We can't always resolve the current user in the sandbox which ssh insists on being able to do so let's become root which is always resolvable.
systemd · Dec 20, 2024 · 8c2c571 · 8c2c571
1 parent 3d9dddf
commit 8c2c571
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/mkosi/qemu.py b/mkosi/qemu.py
@@ -860,8 +860,9 @@ def finalize_credentials(config: Config) -> dict[str, str]:
                 ["ssh-keygen", "-f", "/dev/stdin", "-i", "-m", "PKCS8"],
                 input=pubkey,
                 stdout=subprocess.PIPE,
-                # ssh-keygen needs to be able to resolve the current user.
-                sandbox=config.sandbox(options=["--ro-bind", "/etc", "/etc", "--ro-bind", "/run", "/run"]),
+                # ssh-keygen insists on being able to resolve the current user which doesn't always work
+                # (think sssd or similar) so let's switch to root which is always resolvable.
+                sandbox=config.sandbox(options=["--become-root"]),
             ).stdout.strip()
             creds["ssh.authorized_keys.root"] = sshpubkey
         elif config.ssh:
@@ -1459,6 +1460,8 @@ def run_ssh(args: Args, config: Config) -> None:
             network=True,
             devices=True,
             relaxed=True,
-            options=["--same-dir"],
+            # ssh insists on being able to resolve the current user which doesn't always work (think sssd or
+            # similar) so let's switch to root which is always resolvable.
+            options=["--same-dir", "--become-root"],
         ),
     )