GNU bug report logs - #55359
How do I extend openssh-service-type ?

Previous Next

Package: guix;

Reported by: Oleg Pykhalov <go.wigust <at> gmail.com>

Date: Wed, 11 May 2022 07:38:02 UTC

Severity: normal

Done: Oleg Pykhalov <go.wigust <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Edouard Klein <edou <at> rdklein.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 55359 <at> debbugs.gnu.org, Oleg Pykhalov <go.wigust <at> gmail.com>, help-guix <at> gnu.org
Subject: bug#55359: How do I extend openssh-service-type ?
Date: Tue, 31 May 2022 19:05:41 +0200

Thank you both for solving this. I used a workaround for a while
(rsyncing the keys to /home/user/.ssh/authorized_keys). Now I can
confirm that the fixes work and I'm back to a declarative configuration
of my server, which is awesome !

Cheers,

Edouard.
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Oleg Pykhalov <go.wigust <at> gmail.com> skribis:
>
>>> (service-extension openssh-service-type
>>>                    (const `(("charlie"
>>>                              ,(local-file "charlie.pub")))))
>>> #+end_quote
>>
>> […]
>>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>
> For the record, this bug (dismissing the ‘keys’ argument) was introduced
> in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
>
> How come nobody noticed then?
>
> The reason is that starting from
> b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
> would create an empty directory.  That directory would then be copied by
> ‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
> /etc/ssh/authorized_keys.d would typically already contain the relevant
> keys, nothing bad would happen.
>
> Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
> another bug though: we’d create an authorized-key directory that
> included keys brought by extensions, but each of these files would be
> empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
> associated with user names), which could lock yourself out.
>
> Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
> recommended before you’re locked out!
>
> Thanks,
> Ludo’.
This bug report was last modified 2 years and 357 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.