system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 10:44:58 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity

userdbctl: enable ssh-authorized-keys logic by default

Browse source 
sshd now supports config file drop-ins, hence let's install one to hook
up "userdb ssh-authorized-keys", so that things just work.

We put the drop-in relatively early, so that other drop-ins generally
will override this.

Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but
let's take what we can get. It's not that sshd's upstream was
particularly open to weird ideas from Linux people.
This commit is contained in:
Lennart Poettering 2023-11-16 18:47:52 +01:00
parent ffc1ec73b3
commit 7e3607996a
7 changed files with 39 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
TODO
View file

@ -1004,9 +1004,6 @@ Features:
file to move there, since it is managed by privileged code (i.e. homed) and file to move there, since it is managed by privileged code (i.e. homed) and
not unprivileged code. not unprivileged code.
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
that hooks up userdbctl ssh-key stuff.
* maybe add support for binding and connecting AF_UNIX sockets in the file * maybe add support for binding and connecting AF_UNIX sockets in the file
system outside of the 108ch limit. When connecting, open O_PATH fd to socket system outside of the 108ch limit. When connecting, open O_PATH fd to socket
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink

7
meson.build
View file

@ -198,6 +198,11 @@ if pamconfdir == ''
pamconfdir = prefixdir / 'lib/pam.d' pamconfdir = prefixdir / 'lib/pam.d'
endif endif
sshdconfdir = get_option('sshdconfdir')
if sshdconfdir == ''
sshdconfdir = sysconfdir / 'ssh/sshd_config.d'
endif
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir') libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
if libcryptsetup_plugins_dir == '' if libcryptsetup_plugins_dir == ''
libcryptsetup_plugins_dir = libdir / 'cryptsetup' libcryptsetup_plugins_dir = libdir / 'cryptsetup'
@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash)
conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed') conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed')
conf.set_quoted('RANDOM_SEED_DIR', randomseeddir) conf.set_quoted('RANDOM_SEED_DIR', randomseeddir)
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local')) conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
conf.set_quoted('SSHDCONFDIR', sshdconfdir)
conf.set_quoted('SYSCONF_DIR', sysconfdir) conf.set_quoted('SYSCONF_DIR', sysconfdir)
conf.set_quoted('SYSCTL_DIR', sysctldir) conf.set_quoted('SYSCTL_DIR', sysctldir)
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl') conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
@ -2676,6 +2682,7 @@ summary({
'SysV rc?.d directories' : sysvrcnd_path, 'SysV rc?.d directories' : sysvrcnd_path,
'PAM modules directory' : pamlibdir, 'PAM modules directory' : pamlibdir,
'PAM configuration directory' : pamconfdir, 'PAM configuration directory' : pamconfdir,
'ssh configuration directory' : sshdconfdir,
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir, 'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
'RPM macros directory' : rpmmacrosdir, 'RPM macros directory' : rpmmacrosdir,
'modprobe.d directory' : modprobedir, 'modprobe.d directory' : modprobedir,

2
meson_options.txt
View file

@ -211,6 +211,8 @@ option('pamlibdir', type : 'string',
description : 'directory for PAM modules') description : 'directory for PAM modules')
option('pamconfdir', type : 'string', option('pamconfdir', type : 'string',
description : 'directory for PAM configuration ["no" disables]') description : 'directory for PAM configuration ["no" disables]')
option('sshdconfdir', type : 'string',
description : 'directory for SSH server configuration ["no" disables]')
option('libcryptsetup-plugins-dir', type : 'string', option('libcryptsetup-plugins-dir', type : 'string',
description : 'directory for libcryptsetup plugins') description : 'directory for libcryptsetup plugins')
option('docdir', type : 'string', option('docdir', type : 'string',

6
src/userdb/20-systemd-userdb.conf.in Normal file
View file

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# Make sure SSH authorized keys recorded in user records can be consumed by SSH
#
AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
AuthorizedKeysCommandUser root

13
src/userdb/meson.build
View file

@ -23,3 +23,16 @@ executables += [
'dependencies' : threads, 'dependencies' : threads,
}, },
] ]
custom_target(
'20-systemd-userdb.conf',
input : '20-systemd-userdb.conf.in',
output : '20-systemd-userdb.conf',
command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
install_dir : libexecdir / 'sshd_config.d')
install_emptydir(sshdconfdir)
meson.add_install_script(sh, '-c',
ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))

10
tmpfiles.d/20-systemd-userdb.conf.in Normal file
View file

@ -0,0 +1,10 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

1
tmpfiles.d/meson.build
View file

@ -34,6 +34,7 @@ in_files = [['etc.conf', ''],
['static-nodes-permissions.conf', ''], ['static-nodes-permissions.conf', ''],
['systemd.conf', ''], ['systemd.conf', ''],
['var.conf', ''], ['var.conf', ''],
['20-systemd-userdb.conf', 'ENABLE_USERDB'],
] ]
foreach pair : in_files foreach pair : in_files