GNU bug report logs - #27837
[PATCH 0/1] SSH service supports the definition of authorized keys

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 27837 in the body.
You can then email your comments to 27837 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 0/1] SSH service supports the definition of authorized keys
Date: Wed, 26 Jul 2017 15:10:48 +0200

Hello!

This patch adds an 'authorized-keys' field to 'openssh-configuration',
which allows users to define per-user authorized keys.

There are some shenanigans due to the fact that 'sshd' ignores
authorized key files that are more than owner-writable, or that have a
parent directory that is more than owner-writable.  Since /gnu/store is
group-writable (for "guixbuild"), we have to copy the authorized-key
directory to /etc/ssh and set the right permissions there.

Eventually, I'd like to make 'openssh-service-type' extensible with more
authorized keys, which we can use to implement things like the
"sysadmin" API we have for the build farm.

Thoughts?

Thanks,
Ludo'.

Ludovic Courtès (1):
  services: openssh: Add 'authorized-keys' field.

 doc/guix.texi        | 24 +++++++++++++--
 gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 91 insertions(+), 19 deletions(-)

-- 
2.13.3

Message #8 received at 27837 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 27837 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 1/1] services: openssh: Add 'authorized-keys' field.
Date: Wed, 26 Jul 2017 15:14:17 +0200

* gnu/services/ssh.scm (<openssh-configuration>)[authorized-keys]: New
field.
(authorized-key-directory): New procedure.
(openssh-config-file): Honor 'authorized-keys'.
(openssh-activation): Use 'with-imported-modules'.  Make /etc/ssh
755.  Create /etc/ssh/authorized_keys.d.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi        | 24 +++++++++++++--
 gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 91 insertions(+), 19 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index e8c4e0eaf..e8f1a73e3 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -10201,7 +10201,10 @@ shell daemon, @command{sshd}.  Its value must be an
 (service openssh-service-type
          (openssh-configuration
            (x11-forwarding? #t)
-           (permit-root-login 'without-password)))
+           (permit-root-login 'without-password)
+           (authorized-keys
+             `(("alice" ,(local-file "alice.pub"))
+               ("bob" ,(local-file "bob.pub"))))))
 @end example
 
 See below for details about @code{openssh-configuration}.
@@ -10276,8 +10279,25 @@ server.  Alternately, one can specify the @command{sftp-server} command:
 (service openssh-service-type
          (openssh-configuration
           (subsystems
-           '(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
+           `(("sftp" ,(file-append openssh "/libexec/sftp-server"))))))
 @end example
+
+@item @code{authorized-keys} (default: @code{'()})
+This is the list of authorized keys.  Each element of the list is a user
+name followed by one or more file-like objects that represent SSH public
+keys.  For example:
+
+@example
+(openssh-configuration
+  (authorized-keys
+    `(("rekado" ,(local-file "rekado.pub"))
+      ("chris" ,(local-file "chris.pub"))
+      ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub")))))
+@end example
+
+@noindent
+registers the specified public keys for user accounts @code{rekado},
+@code{chris}, and @code{root}.
 @end table
 @end deftp
 
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 2a6c8d45c..08635af16 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -28,6 +28,7 @@
   #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix records)
+  #:use-module (guix modules)
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 match)
   #:export (lsh-configuration
@@ -295,7 +296,11 @@ The other options should be self-descriptive."
                          (default #t))
   ;; list of two-element lists
   (subsystems            openssh-configuration-subsystems
-                         (default '(("sftp" "internal-sftp")))))
+                         (default '(("sftp" "internal-sftp"))))
+
+  ;; list of user-name/file-like tuples
+  (authorized-keys       openssh-authorized-keys
+                         (default '())))
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -309,22 +314,64 @@ The other options should be self-descriptive."
 
 (define (openssh-activation config)
   "Return the activation GEXP for CONFIG."
-  #~(begin
-      (use-modules (guix build utils))
-      (mkdir-p "/etc/ssh")
-      (mkdir-p (dirname #$(openssh-configuration-pid-file config)))
-
-      (define (touch file-name)
-        (call-with-output-file file-name (const #t)))
-
-      (let ((lastlog "/var/log/lastlog"))
-        (when #$(openssh-configuration-print-last-log? config)
-          (unless (file-exists? lastlog)
-            (touch lastlog))))
-
-      ;; Generate missing host keys.
-      (system* (string-append #$(openssh-configuration-openssh config)
-                              "/bin/ssh-keygen") "-A")))
+  (with-imported-modules '((guix build utils))
+    #~(begin
+        (use-modules (guix build utils))
+
+        (define (touch file-name)
+          (call-with-output-file file-name (const #t)))
+
+        ;; Make sure /etc/ssh can be read by the 'sshd' user.
+        (mkdir-p "/etc/ssh")
+        (chmod "/etc/ssh" #o755)
+        (mkdir-p (dirname #$(openssh-configuration-pid-file config)))
+
+        ;; 'sshd' complains if the authorized-key directory and its parents
+        ;; are group-writable, which rules out /gnu/store.  Thus we copy the
+        ;; authorized-key directory to /etc.
+        (catch 'system-error
+          (lambda ()
+            (delete-file-recursively "/etc/authorized_keys.d"))
+          (lambda args
+            (unless (= ENOENT (system-error-errno args))
+              (apply throw args))))
+        (copy-recursively #$(authorized-key-directory
+                             (openssh-authorized-keys config))
+                          "/etc/ssh/authorized_keys.d")
+
+        (chmod "/etc/ssh/authorized_keys.d" #o555)
+
+        (let ((lastlog "/var/log/lastlog"))
+          (when #$(openssh-configuration-print-last-log? config)
+            (unless (file-exists? lastlog)
+              (touch lastlog))))
+
+        ;; Generate missing host keys.
+        (system* (string-append #$(openssh-configuration-openssh config)
+                                "/bin/ssh-keygen") "-A"))))
+
+(define (authorized-key-directory keys)
+  "Return a directory containing the authorized keys specified in KEYS, a list
+of user-name/file-like tuples."
+  (define build
+    (with-imported-modules (source-module-closure '((guix build utils)))
+      #~(begin
+          (use-modules (ice-9 match) (srfi srfi-26)
+                       (guix build utils))
+
+          (mkdir #$output)
+          (for-each (match-lambda
+                      ((user keys ...)
+                       (let ((file (string-append #$output "/" user)))
+                         (call-with-output-file file
+                           (lambda (port)
+                             (for-each (lambda (key)
+                                         (call-with-input-file key
+                                           (cut dump-port <> port)))
+                                       keys))))))
+                    '#$keys))))
+
+  (computed-file "openssh-authorized-keys" build))
 
 (define (openssh-config-file config)
   "Return the sshd configuration file corresponding to CONFIG."
@@ -367,6 +414,11 @@ The other options should be self-descriptive."
            (format port "PrintLastLog ~a\n"
                    #$(if (openssh-configuration-print-last-log? config)
                          "yes" "no"))
+
+           ;; Add '/etc/authorized_keys.d/%u', which we populate.
+           (format port "AuthorizedKeysFile \
+ .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n")
+
            (for-each
             (match-lambda
               ((name command) (format port "Subsystem\t~a\t~a\n" name command)))
-- 
2.13.3

Message #11 received at 27837 <at> debbugs.gnu.org (full text, mbox):

From: ng0 <ng0 <at> infotropique.org>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 27837 <at> debbugs.gnu.org
Subject: Re: [bug#27837] [PATCH 0/1] SSH service supports the definition of
 authorized keys
Date: Wed, 26 Jul 2017 13:39:50 +0000

[Message part 1 (text/plain, inline)]

Ludovic Courtès transcribed 0.9K bytes:
> Hello!
> 
> This patch adds an 'authorized-keys' field to 'openssh-configuration',
> which allows users to define per-user authorized keys.
> 
> There are some shenanigans due to the fact that 'sshd' ignores
> authorized key files that are more than owner-writable, or that have a
> parent directory that is more than owner-writable.  Since /gnu/store is
> group-writable (for "guixbuild"), we have to copy the authorized-key
> directory to /etc/ssh and set the right permissions there.
> 
> Eventually, I'd like to make 'openssh-service-type' extensible with more
> authorized keys, which we can use to implement things like the
> "sysadmin" API we have for the build farm.
> 
> Thoughts?

Nice! I have to use it to see if I like it, but the theory is good.
I'll reconfigure a system with this tomorrow.

> Thanks,
> Ludo'.
> 
> Ludovic Courtès (1):
>   services: openssh: Add 'authorized-keys' field.
> 
>  doc/guix.texi        | 24 +++++++++++++--
>  gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++-----------
>  2 files changed, 91 insertions(+), 19 deletions(-)
> 
> -- 
> 2.13.3
> 
> 
> 
> 
> 

-- 
ng0
GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588
GnuPG: https://n0is.noblogs.org/my-keys
https://www.infotropique.org https://krosos.org

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 27837-done <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: 27837-done <at> debbugs.gnu.org
Subject: Re: [bug#27837] [PATCH 0/1] SSH service supports the definition of
 authorized keys
Date: Sun, 30 Jul 2017 16:30:33 +0200

Hi!

Ludovic Courtès <ludo <at> gnu.org> skribis:

> This patch adds an 'authorized-keys' field to 'openssh-configuration',
> which allows users to define per-user authorized keys.

Pushed as 4892eb7c6a21416f3a18e18ca17984e2b66050ad.

> Eventually, I'd like to make 'openssh-service-type' extensible with more
> authorized keys, which we can use to implement things like the
> "sysadmin" API we have for the build farm.

Done in 1398a43816011c435fb6723154dbf1d3414b5b3d.

Feedback still welcome though.  :-)

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.