From 7e3607996a5df22799dd092526c78b5bd7e245f4 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 16 Nov 2023 18:47:52 +0100 Subject: [PATCH] userdbctl: enable ssh-authorized-keys logic by default sshd now supports config file drop-ins, hence let's install one to hook up "userdb ssh-authorized-keys", so that things just work. We put the drop-in relatively early, so that other drop-ins generally will override this. Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but let's take what we can get. It's not that sshd's upstream was particularly open to weird ideas from Linux people. --- TODO | 3 --- meson.build | 7 +++++++ meson_options.txt | 2 ++ src/userdb/20-systemd-userdb.conf.in | 6 ++++++ src/userdb/meson.build | 13 +++++++++++++ tmpfiles.d/20-systemd-userdb.conf.in | 10 ++++++++++ tmpfiles.d/meson.build | 1 + 7 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 src/userdb/20-systemd-userdb.conf.in create mode 100644 tmpfiles.d/20-systemd-userdb.conf.in diff --git a/TODO b/TODO index 5a27e6b567..8646d99b1d 100644 --- a/TODO +++ b/TODO @@ -1004,9 +1004,6 @@ Features: file to move there, since it is managed by privileged code (i.e. homed) and not unprivileged code. -* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that - that hooks up userdbctl ssh-key stuff. - * maybe add support for binding and connecting AF_UNIX sockets in the file system outside of the 108ch limit. When connecting, open O_PATH fd to socket inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink diff --git a/meson.build b/meson.build index 7419e2b0b0..56bdc39c3d 100644 --- a/meson.build +++ b/meson.build @@ -198,6 +198,11 @@ if pamconfdir == '' pamconfdir = prefixdir / 'lib/pam.d' endif +sshdconfdir = get_option('sshdconfdir') +if sshdconfdir == '' + sshdconfdir = sysconfdir / 'ssh/sshd_config.d' +endif + libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir') if libcryptsetup_plugins_dir == '' libcryptsetup_plugins_dir = libdir / 'cryptsetup' @@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash) conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed') conf.set_quoted('RANDOM_SEED_DIR', randomseeddir) conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local')) +conf.set_quoted('SSHDCONFDIR', sshdconfdir) conf.set_quoted('SYSCONF_DIR', sysconfdir) conf.set_quoted('SYSCTL_DIR', sysctldir) conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl') @@ -2676,6 +2682,7 @@ summary({ 'SysV rc?.d directories' : sysvrcnd_path, 'PAM modules directory' : pamlibdir, 'PAM configuration directory' : pamconfdir, + 'ssh configuration directory' : sshdconfdir, 'libcryptsetup plugins directory' : libcryptsetup_plugins_dir, 'RPM macros directory' : rpmmacrosdir, 'modprobe.d directory' : modprobedir, diff --git a/meson_options.txt b/meson_options.txt index 83b48ff5bb..c677c7f420 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -211,6 +211,8 @@ option('pamlibdir', type : 'string', description : 'directory for PAM modules') option('pamconfdir', type : 'string', description : 'directory for PAM configuration ["no" disables]') +option('sshdconfdir', type : 'string', + description : 'directory for SSH server configuration ["no" disables]') option('libcryptsetup-plugins-dir', type : 'string', description : 'directory for libcryptsetup plugins') option('docdir', type : 'string', diff --git a/src/userdb/20-systemd-userdb.conf.in b/src/userdb/20-systemd-userdb.conf.in new file mode 100644 index 0000000000..031fc3a4b8 --- /dev/null +++ b/src/userdb/20-systemd-userdb.conf.in @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# Make sure SSH authorized keys recorded in user records can be consumed by SSH +# +AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u +AuthorizedKeysCommandUser root diff --git a/src/userdb/meson.build b/src/userdb/meson.build index 2d701c8ba7..260dbab2c8 100644 --- a/src/userdb/meson.build +++ b/src/userdb/meson.build @@ -23,3 +23,16 @@ executables += [ 'dependencies' : threads, }, ] + +custom_target( + '20-systemd-userdb.conf', + input : '20-systemd-userdb.conf.in', + output : '20-systemd-userdb.conf', + command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'], + install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no', + install_dir : libexecdir / 'sshd_config.d') + +install_emptydir(sshdconfdir) + +meson.add_install_script(sh, '-c', + ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf')) diff --git a/tmpfiles.d/20-systemd-userdb.conf.in b/tmpfiles.d/20-systemd-userdb.conf.in new file mode 100644 index 0000000000..1ef7a9e8bc --- /dev/null +++ b/tmpfiles.d/20-systemd-userdb.conf.in @@ -0,0 +1,10 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +# See tmpfiles.d(5) for details + +L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build index 4c11ad6e20..390076b6d5 100644 --- a/tmpfiles.d/meson.build +++ b/tmpfiles.d/meson.build @@ -34,6 +34,7 @@ in_files = [['etc.conf', ''], ['static-nodes-permissions.conf', ''], ['systemd.conf', ''], ['var.conf', ''], + ['20-systemd-userdb.conf', 'ENABLE_USERDB'], ] foreach pair : in_files