From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 26 09:11:17 2017 Received: (at submit) by debbugs.gnu.org; 26 Jul 2017 13:11:17 +0000 Received: from localhost ([127.0.0.1]:56824 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daM5s-0006Y3-SJ for submit@debbugs.gnu.org; Wed, 26 Jul 2017 09:11:17 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54042) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daM5s-0006Xr-6E for submit@debbugs.gnu.org; Wed, 26 Jul 2017 09:11:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1daM5i-0006vK-Vd for submit@debbugs.gnu.org; Wed, 26 Jul 2017 09:11:10 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:51962) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1daM5i-0006vD-S9 for submit@debbugs.gnu.org; Wed, 26 Jul 2017 09:11:06 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:44963) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1daM5h-0004Se-OH for guix-patches@gnu.org; Wed, 26 Jul 2017 09:11:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1daM5g-0006ts-Ul for guix-patches@gnu.org; Wed, 26 Jul 2017 09:11:05 -0400 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60339) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1daM5b-0006rO-Rk; Wed, 26 Jul 2017 09:10:59 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:44232 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1daM5b-000679-BQ; Wed, 26 Jul 2017 09:10:59 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: guix-patches@gnu.org Subject: [PATCH 0/1] SSH service supports the definition of authorized keys Date: Wed, 26 Jul 2017 15:10:48 +0200 Message-Id: <20170726131048.9603-1-ludo@gnu.org> X-Mailer: git-send-email 2.13.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hello! This patch adds an 'authorized-keys' field to 'openssh-configuration', which allows users to define per-user authorized keys. There are some shenanigans due to the fact that 'sshd' ignores authorized key files that are more than owner-writable, or that have a parent directory that is more than owner-writable. Since /gnu/store is group-writable (for "guixbuild"), we have to copy the authorized-key directory to /etc/ssh and set the right permissions there. Eventually, I'd like to make 'openssh-service-type' extensible with more authorized keys, which we can use to implement things like the "sysadmin" API we have for the build farm. Thoughts? Thanks, Ludo'. Ludovic Courtès (1): services: openssh: Add 'authorized-keys' field. doc/guix.texi | 24 +++++++++++++-- gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 91 insertions(+), 19 deletions(-) -- 2.13.3 From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 26 09:14:43 2017 Received: (at 27837) by debbugs.gnu.org; 26 Jul 2017 13:14:43 +0000 Received: from localhost ([127.0.0.1]:56829 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daM9D-0006d9-AI for submit@debbugs.gnu.org; Wed, 26 Jul 2017 09:14:43 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55939) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daM9B-0006cs-RM for 27837@debbugs.gnu.org; Wed, 26 Jul 2017 09:14:42 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1daM95-00007J-H2 for 27837@debbugs.gnu.org; Wed, 26 Jul 2017 09:14:36 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:60636) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1daM8z-0008Uo-6D; Wed, 26 Jul 2017 09:14:29 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:44240 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1daM8y-00074e-J7; Wed, 26 Jul 2017 09:14:28 -0400 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= To: 27837@debbugs.gnu.org Subject: [PATCH 1/1] services: openssh: Add 'authorized-keys' field. Date: Wed, 26 Jul 2017 15:14:17 +0200 Message-Id: <20170726131417.10686-1-ludo@gnu.org> X-Mailer: git-send-email 2.13.3 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 27837 Cc: =?UTF-8?q?Ludovic=20Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) * gnu/services/ssh.scm ()[authorized-keys]: New field. (authorized-key-directory): New procedure. (openssh-config-file): Honor 'authorized-keys'. (openssh-activation): Use 'with-imported-modules'. Make /etc/ssh 755. Create /etc/ssh/authorized_keys.d. * doc/guix.texi (Networking Services): Document it. --- doc/guix.texi | 24 +++++++++++++-- gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 91 insertions(+), 19 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index e8c4e0eaf..e8f1a73e3 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -10201,7 +10201,10 @@ shell daemon, @command{sshd}. Its value must be an (service openssh-service-type (openssh-configuration (x11-forwarding? #t) - (permit-root-login 'without-password))) + (permit-root-login 'without-password) + (authorized-keys + `(("alice" ,(local-file "alice.pub")) + ("bob" ,(local-file "bob.pub")))))) @end example See below for details about @code{openssh-configuration}. @@ -10276,8 +10279,25 @@ server. Alternately, one can specify the @command{sftp-server} command: (service openssh-service-type (openssh-configuration (subsystems - '(("sftp" ,(file-append openssh "/libexec/sftp-server")))))) + `(("sftp" ,(file-append openssh "/libexec/sftp-server")))))) @end example + +@item @code{authorized-keys} (default: @code{'()}) +This is the list of authorized keys. Each element of the list is a user +name followed by one or more file-like objects that represent SSH public +keys. For example: + +@example +(openssh-configuration + (authorized-keys + `(("rekado" ,(local-file "rekado.pub")) + ("chris" ,(local-file "chris.pub")) + ("root" ,(local-file "rekado.pub") ,(local-file "chris.pub"))))) +@end example + +@noindent +registers the specified public keys for user accounts @code{rekado}, +@code{chris}, and @code{root}. @end table @end deftp diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 2a6c8d45c..08635af16 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -28,6 +28,7 @@ #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix modules) #:use-module (srfi srfi-26) #:use-module (ice-9 match) #:export (lsh-configuration @@ -295,7 +296,11 @@ The other options should be self-descriptive." (default #t)) ;; list of two-element lists (subsystems openssh-configuration-subsystems - (default '(("sftp" "internal-sftp"))))) + (default '(("sftp" "internal-sftp")))) + + ;; list of user-name/file-like tuples + (authorized-keys openssh-authorized-keys + (default '()))) (define %openssh-accounts (list (user-group (name "sshd") (system? #t)) @@ -309,22 +314,64 @@ The other options should be self-descriptive." (define (openssh-activation config) "Return the activation GEXP for CONFIG." - #~(begin - (use-modules (guix build utils)) - (mkdir-p "/etc/ssh") - (mkdir-p (dirname #$(openssh-configuration-pid-file config))) - - (define (touch file-name) - (call-with-output-file file-name (const #t))) - - (let ((lastlog "/var/log/lastlog")) - (when #$(openssh-configuration-print-last-log? config) - (unless (file-exists? lastlog) - (touch lastlog)))) - - ;; Generate missing host keys. - (system* (string-append #$(openssh-configuration-openssh config) - "/bin/ssh-keygen") "-A"))) + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + + (define (touch file-name) + (call-with-output-file file-name (const #t))) + + ;; Make sure /etc/ssh can be read by the 'sshd' user. + (mkdir-p "/etc/ssh") + (chmod "/etc/ssh" #o755) + (mkdir-p (dirname #$(openssh-configuration-pid-file config))) + + ;; 'sshd' complains if the authorized-key directory and its parents + ;; are group-writable, which rules out /gnu/store. Thus we copy the + ;; authorized-key directory to /etc. + (catch 'system-error + (lambda () + (delete-file-recursively "/etc/authorized_keys.d")) + (lambda args + (unless (= ENOENT (system-error-errno args)) + (apply throw args)))) + (copy-recursively #$(authorized-key-directory + (openssh-authorized-keys config)) + "/etc/ssh/authorized_keys.d") + + (chmod "/etc/ssh/authorized_keys.d" #o555) + + (let ((lastlog "/var/log/lastlog")) + (when #$(openssh-configuration-print-last-log? config) + (unless (file-exists? lastlog) + (touch lastlog)))) + + ;; Generate missing host keys. + (system* (string-append #$(openssh-configuration-openssh config) + "/bin/ssh-keygen") "-A")))) + +(define (authorized-key-directory keys) + "Return a directory containing the authorized keys specified in KEYS, a list +of user-name/file-like tuples." + (define build + (with-imported-modules (source-module-closure '((guix build utils))) + #~(begin + (use-modules (ice-9 match) (srfi srfi-26) + (guix build utils)) + + (mkdir #$output) + (for-each (match-lambda + ((user keys ...) + (let ((file (string-append #$output "/" user))) + (call-with-output-file file + (lambda (port) + (for-each (lambda (key) + (call-with-input-file key + (cut dump-port <> port))) + keys)))))) + '#$keys)))) + + (computed-file "openssh-authorized-keys" build)) (define (openssh-config-file config) "Return the sshd configuration file corresponding to CONFIG." @@ -367,6 +414,11 @@ The other options should be self-descriptive." (format port "PrintLastLog ~a\n" #$(if (openssh-configuration-print-last-log? config) "yes" "no")) + + ;; Add '/etc/authorized_keys.d/%u', which we populate. + (format port "AuthorizedKeysFile \ + .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n") + (for-each (match-lambda ((name command) (format port "Subsystem\t~a\t~a\n" name command))) -- 2.13.3 From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 26 09:40:13 2017 Received: (at 27837) by debbugs.gnu.org; 26 Jul 2017 13:40:13 +0000 Received: from localhost ([127.0.0.1]:56857 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daMXt-0007EO-E7 for submit@debbugs.gnu.org; Wed, 26 Jul 2017 09:40:13 -0400 Received: from aibo.runbox.com ([91.220.196.211]:60542) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daMXs-0007EH-3x for 27837@debbugs.gnu.org; Wed, 26 Jul 2017 09:40:12 -0400 Received: from [10.9.9.211] (helo=mailfront11.runbox.com) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1daMXq-0006zO-Sz; Wed, 26 Jul 2017 15:40:10 +0200 Received: from [185.29.8.132] (helo=localhost) by mailfront11.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1daMXa-0003sj-E7; Wed, 26 Jul 2017 15:39:55 +0200 Date: Wed, 26 Jul 2017 13:39:50 +0000 From: ng0 To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#27837] [PATCH 0/1] SSH service supports the definition of authorized keys Message-ID: <20170726133950.p6saprt5defbmjpd@abyayala> Mail-Followup-To: Ludovic =?utf-8?Q?Court=C3=A8s?= , 27837@debbugs.gnu.org References: <20170726131048.9603-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wfb5nfcop5l3wezq" Content-Disposition: inline In-Reply-To: <20170726131048.9603-1-ludo@gnu.org> X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 27837 Cc: 27837@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.7 (/) --wfb5nfcop5l3wezq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s transcribed 0.9K bytes: > Hello! >=20 > This patch adds an 'authorized-keys' field to 'openssh-configuration', > which allows users to define per-user authorized keys. >=20 > There are some shenanigans due to the fact that 'sshd' ignores > authorized key files that are more than owner-writable, or that have a > parent directory that is more than owner-writable. Since /gnu/store is > group-writable (for "guixbuild"), we have to copy the authorized-key > directory to /etc/ssh and set the right permissions there. >=20 > Eventually, I'd like to make 'openssh-service-type' extensible with more > authorized keys, which we can use to implement things like the > "sysadmin" API we have for the build farm. >=20 > Thoughts? Nice! I have to use it to see if I like it, but the theory is good. I'll reconfigure a system with this tomorrow. > Thanks, > Ludo'. >=20 > Ludovic Court=C3=A8s (1): > services: openssh: Add 'authorized-keys' field. >=20 > doc/guix.texi | 24 +++++++++++++-- > gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++-----= ------ > 2 files changed, 91 insertions(+), 19 deletions(-) >=20 > --=20 > 2.13.3 >=20 >=20 >=20 >=20 >=20 --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://n0is.noblogs.org/my-keys https://www.infotropique.org https://krosos.org --wfb5nfcop5l3wezq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAll4m6YACgkQ4i+bv+40 hYhC2g/+JRS9tn+B/jHpoGc62Fe9aCnhA83wD16c9IrKIfDSf8fX2vX/s09gfbhw sQD3UOWBHCFZxDHJdvHiYDpikJCIq9CRIo3b1V4qhDfcwiBOJD+aXOvcv+7hW2ZV atURiJjHacws61Etdmjyl+5xFF8wb9pghettfN+sirJYJnRqWYaZfJwcD9Ez10b+ CTOvF15tusafqljadNLDbqd/ZaGcKYSpxa/2TiNk9iFztBFlQ5CsPYx2EAjjg27r YgbnpRPrvSKvZvCrWK2bSV+iswCcKGaxFeaYAf9WU+Xrz4EoPw2Fe4j/pEc3HVMK /P3X4nf4aJY3drcQ3TIw925FIISQinMW4Hd+iG9Gzw2+775NeZLJ4QgwbrkT6glN Uu2cNUvJ44mlQGAY3qB+ByricbpiwMayPHoe8+eropymXRskXIZcoUIahiuDzXd6 dv160N55aL7gRZidj/7dpmQr+ZwNPcMxykeZbuZ8G5sP20WPkgTZhnzCd5hLMYH+ dp14VpNp7l8GNAfWW4fTutO0lm2L1to4tN4ngaO88aw4UccvwJ2kcLg7sV7ILvbc gCauia1h1jQkqfNP6nugvNNzy7m74VVlxpmSSUEdLpx+D4SXrzUXF9bOwcctp9ZP a9QCBhyrItbCtZ7vSHFyvZpstC3kgmhQ+UrsVggBjGPvQerYKoo= =E+QP -----END PGP SIGNATURE----- --wfb5nfcop5l3wezq-- From debbugs-submit-bounces@debbugs.gnu.org Sun Jul 30 10:30:48 2017 Received: (at 27837-done) by debbugs.gnu.org; 30 Jul 2017 14:30:48 +0000 Received: from localhost ([127.0.0.1]:34382 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dbpF2-0004VM-C6 for submit@debbugs.gnu.org; Sun, 30 Jul 2017 10:30:48 -0400 Received: from eggs.gnu.org ([208.118.235.92]:38596) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dbpF0-0004V8-D0 for 27837-done@debbugs.gnu.org; Sun, 30 Jul 2017 10:30:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dbpEq-0001La-4k for 27837-done@debbugs.gnu.org; Sun, 30 Jul 2017 10:30:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:57216) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dbpEp-0001LO-Vr for 27837-done@debbugs.gnu.org; Sun, 30 Jul 2017 10:30:36 -0400 Received: from reverse-83.fdn.fr ([80.67.176.83]:59356 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1dbpEp-00057j-CN for 27837-done@debbugs.gnu.org; Sun, 30 Jul 2017 10:30:35 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: 27837-done@debbugs.gnu.org Subject: Re: [bug#27837] [PATCH 0/1] SSH service supports the definition of authorized keys References: <20170726131048.9603-1-ludo@gnu.org> Date: Sun, 30 Jul 2017 16:30:33 +0200 In-Reply-To: <20170726131048.9603-1-ludo@gnu.org> ("Ludovic \=\?utf-8\?Q\?Cour\?\= \=\?utf-8\?Q\?t\=C3\=A8s\=22's\?\= message of "Wed, 26 Jul 2017 15:10:48 +0200") Message-ID: <87pocif14m.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 27837-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hi! Ludovic Court=C3=A8s skribis: > This patch adds an 'authorized-keys' field to 'openssh-configuration', > which allows users to define per-user authorized keys. Pushed as 4892eb7c6a21416f3a18e18ca17984e2b66050ad. > Eventually, I'd like to make 'openssh-service-type' extensible with more > authorized keys, which we can use to implement things like the > "sysadmin" API we have for the build farm. Done in 1398a43816011c435fb6723154dbf1d3414b5b3d. Feedback still welcome though. :-) Ludo=E2=80=99. From unknown Mon Jun 23 23:54:35 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 28 Aug 2017 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator