From f365cc0d217c895d1741c5cba8b03dd75064e33f Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Fri, 24 Mar 2017 15:17:12 -0300
Subject: Support for custom SSH keypair per virtual machine

---
 README.md   |  1 -
 kvmx        | 17 ++++++++++++++++-
 kvmx-create | 24 ++++++++++++++++++------
 kvmxfile    | 11 +++++++++++
 4 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 21092a4..5410818 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,6 @@ If no folder is specified, the current folder is assumed as the project home.
 
 ## Further development
 
-* Support for custom SSH keypair per virtual machine.
 * Remount shared folders and reinitialize spice-vdagent upon resume from disk.
 * More params (memory, cpus, ssh, serial console, additional shared folders, etc).
 * Integration with [image-bootstrap](https://github.com/hartwork/image-bootstrap).
diff --git a/kvmx b/kvmx
index 6f9c582..b9523aa 100755
--- a/kvmx
+++ b/kvmx
@@ -56,6 +56,11 @@ function __kvmx_set_app_base {
   fi
 }
 
+# Build a SSH command
+function __kvmx_ssh_command {
+  SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=FATAL -o ProxyCommand=none -i $1"
+}
+
 # Initialize
 function __kvmx_initialize {
   __kvmx_set_app_base
@@ -118,7 +123,7 @@ function __kvmx_initialize {
       SSHKEY="$APP_BASE/share/ssh/insecure_private_key"
     fi
 
-    SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o LogLevel=FATAL -o ProxyCommand=none -i $SSHKEY"
+    __kvmx_ssh_command $SSHKEY
 
     mkdir -p $STATE_DIR
 
@@ -181,6 +186,7 @@ function kvmx_up {
     if [ ! -z "$basebox" ]; then
       if [ -e "$GLOBAL_USER_CONFIG_FOLDER/$basebox" ]; then
         baseimage="`kvmx list_image $basebox`"
+        basekey="`basename $baseimage .img`.key"
 
         if [ ! -e "$baseimage" ]; then
           echo "$BASENAME: could not find basebox $baseimage. Please create it first."
@@ -189,6 +195,15 @@ function kvmx_up {
 
         echo "Copying base image $baseimage to $image..."
         cp $baseimage $image
+
+        if [ -e "$basekey" ]; then
+          imagekey="`basename $image .img`.key"
+          cp $basekey     $imagekey
+          cp $basekey.pub $imagekey.pub
+
+          # Re-evaluate this if there's a custom SSH key.
+          __kvmx_ssh_command $basekey
+        fi
       fi
     else
       kvmx-create $GLOBAL_USER_CONFIG_FOLDER/$VM
diff --git a/kvmx-create b/kvmx-create
index 31646eb..38405a3 100755
--- a/kvmx-create
+++ b/kvmx-create
@@ -94,7 +94,7 @@ function kvmx_sudo_run {
 
 # Make sure there is provision config.
 function kvmx_config {
-  kvmx_user_config   image             /var/cache/qemu/debian/box.img   "Destination image"
+  kvmx_user_config   image             /var/cache/qemu/debian/box.img   "Destination image (ending in .img)"
   kvmx_user_config   size              3G                               "Image size"
   kvmx_user_config   format            qcow2                            "Image format: raw or qcow2"
   kvmx_user_config   method            custom                           "Bootstrap method: custom or vmdeboostrap"
@@ -241,11 +241,23 @@ function kvmx_create_custom {
 
   # Initial user
   kvmx_sudo_run chroot $WORK/ useradd user -G sudo -s /bin/bash
-  kvmx_sudo_run chroot $WORK/ mkdir -p /home/user/.ssh
-  kvmx_sudo_run chroot $WORK/ chmod 700 /home/user/.ssh
-  kvmx_sudo_run cp $DIRNAME/share/ssh/insecure_private_key.pub $WORK/home/user/.ssh/authorized_keys
-  kvmx_sudo_run chroot $WORK/ chmod 600 /home/user/.ssh/authorized_keys
-  kvmx_sudo_run touch  $WORK/home/user/.hushlogin
+
+  if [ "$ssh_support" == "y" ];
+    if [ "$ssh_custom" == "y" ]; then
+      privkey="`dirname $image`/`basename $image .img`.key"
+      pubkey="${privkey}.pub"
+      ssh-keygen -t rsa -b 4096 -f $privkey -N '' -C "user@`basename $image .img`"
+    else
+      pubkey="$DIRNAME/share/ssh/insecure_private_key.pub"
+    fi
+
+    kvmx_sudo_run chroot $WORK/ mkdir -p /home/user/.ssh
+    kvmx_sudo_run chroot $WORK/ chmod 700 /home/user/.ssh
+    kvmx_sudo_run cp $pubkey $WORK/home/user/.ssh/authorized_keys
+    kvmx_sudo_run chroot $WORK/ chmod 600 /home/user/.ssh/authorized_keys
+    kvmx_sudo_run touch  $WORK/home/user/.hushlogin
+  fi
+
   kvmx_sudo_run chroot $WORK/ chown -R user.user /home/user
   echo 'user:user' | kvmx_sudo_run chroot $WORK/ chpasswd
 
diff --git a/kvmxfile b/kvmxfile
index 99fad1d..631678d 100644
--- a/kvmxfile
+++ b/kvmxfile
@@ -49,5 +49,16 @@ version="stretch"
 # Debian mirror
 mirror="http://http.debian.net/debian/"  
 
+# Enables remote administration using SSH. With this configuration enabled,
+# kvmx will be able to administer a running virtual machine using SSH access
+# inside the virtual machine.
 ssh_support="y"
+
+# Use a custom, per-virtual-machine generated SSH keypair. If you disable this
+# configuration but still want guest administration using SSH, the default
+# insecure keypair will be used.
+#
+# Please note that this setting won't take effect if you're using a basebox.
+# In that case the basebox keypair will be used if it exists, otherwise kvmx
+# fallsback to the default insecure keypair.
 ssh_custom="y"
-- 
cgit v1.2.3