[systemd-devel] systemd services via SSH (-H key)
Lennart Poettering
lennart at poettering.net
Fri Oct 23 04:39:01 PDT 2015
B1;4201;0cOn Fri, 23.10.15 14:24, Mantas Mikulėnas (grawity at gmail.com) wrote:
> Yeah, I was referring to UUCP, since it's the same kind of hop-by-hop
> source-routing.
>
> (Admittedly, ":" was used the same way in Berknet...)
>
> Though, wouldn't containers just run sshd themselves? Or is this mostly for
> very-lightweight things?
I don't see why they would. The whole concept of "machinectl shell"
and "machinectl login" exists to make it unnecessary to make every
container world-accessible via SSH but still provide a nice, safe and
correct way to get a shell in them (i.e. one that is actually a proper
login shell with PAM, utmp and all that crap, instead of just an
nsenter thing).
In general, doing SSH not only means running another world-accessible
server, but in most cases also picking a good password for root (or
some other local user), as ssh is probably more often used with
passwords than with keys I figure, still. By avoiding direct ssh when
accessing local containers and sticking to "machinectl shell" we can
sidestep the issue, as we can simply take benefit of the fact that the
container's host is always more trusted than the container itself...
What's missing of course here too is that this works:
machinectl shell foo:bar
and so on, to directly get a shell in container "bar" that lives
inside container "foo"...
But well, given that stacking containers is generally questionnable
this is not a high priority to support...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list