1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

userdbctl: enable ssh-authorized-keys logic by default

sshd now supports config file drop-ins, hence let's install one to hook
up "userdb ssh-authorized-keys", so that things just work.

We put the drop-in relatively early, so that other drop-ins generally
will override this.

Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but
let's take what we can get. It's not that sshd's upstream was
particularly open to weird ideas from Linux people.
This commit is contained in:
Lennart Poettering 2023-11-16 18:47:52 +01:00
parent ffc1ec73b3
commit 7e3607996a
7 changed files with 39 additions and 3 deletions

3
TODO
View File

@ -1004,9 +1004,6 @@ Features:
file to move there, since it is managed by privileged code (i.e. homed) and file to move there, since it is managed by privileged code (i.e. homed) and
not unprivileged code. not unprivileged code.
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
that hooks up userdbctl ssh-key stuff.
* maybe add support for binding and connecting AF_UNIX sockets in the file * maybe add support for binding and connecting AF_UNIX sockets in the file
system outside of the 108ch limit. When connecting, open O_PATH fd to socket system outside of the 108ch limit. When connecting, open O_PATH fd to socket
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink

View File

@ -198,6 +198,11 @@ if pamconfdir == ''
pamconfdir = prefixdir / 'lib/pam.d' pamconfdir = prefixdir / 'lib/pam.d'
endif endif
sshdconfdir = get_option('sshdconfdir')
if sshdconfdir == ''
sshdconfdir = sysconfdir / 'ssh/sshd_config.d'
endif
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir') libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
if libcryptsetup_plugins_dir == '' if libcryptsetup_plugins_dir == ''
libcryptsetup_plugins_dir = libdir / 'cryptsetup' libcryptsetup_plugins_dir = libdir / 'cryptsetup'
@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash)
conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed') conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed')
conf.set_quoted('RANDOM_SEED_DIR', randomseeddir) conf.set_quoted('RANDOM_SEED_DIR', randomseeddir)
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local')) conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
conf.set_quoted('SSHDCONFDIR', sshdconfdir)
conf.set_quoted('SYSCONF_DIR', sysconfdir) conf.set_quoted('SYSCONF_DIR', sysconfdir)
conf.set_quoted('SYSCTL_DIR', sysctldir) conf.set_quoted('SYSCTL_DIR', sysctldir)
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl') conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
@ -2676,6 +2682,7 @@ summary({
'SysV rc?.d directories' : sysvrcnd_path, 'SysV rc?.d directories' : sysvrcnd_path,
'PAM modules directory' : pamlibdir, 'PAM modules directory' : pamlibdir,
'PAM configuration directory' : pamconfdir, 'PAM configuration directory' : pamconfdir,
'ssh configuration directory' : sshdconfdir,
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir, 'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
'RPM macros directory' : rpmmacrosdir, 'RPM macros directory' : rpmmacrosdir,
'modprobe.d directory' : modprobedir, 'modprobe.d directory' : modprobedir,

View File

@ -211,6 +211,8 @@ option('pamlibdir', type : 'string',
description : 'directory for PAM modules') description : 'directory for PAM modules')
option('pamconfdir', type : 'string', option('pamconfdir', type : 'string',
description : 'directory for PAM configuration ["no" disables]') description : 'directory for PAM configuration ["no" disables]')
option('sshdconfdir', type : 'string',
description : 'directory for SSH server configuration ["no" disables]')
option('libcryptsetup-plugins-dir', type : 'string', option('libcryptsetup-plugins-dir', type : 'string',
description : 'directory for libcryptsetup plugins') description : 'directory for libcryptsetup plugins')
option('docdir', type : 'string', option('docdir', type : 'string',

View File

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# Make sure SSH authorized keys recorded in user records can be consumed by SSH
#
AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
AuthorizedKeysCommandUser root

View File

@ -23,3 +23,16 @@ executables += [
'dependencies' : threads, 'dependencies' : threads,
}, },
] ]
custom_target(
'20-systemd-userdb.conf',
input : '20-systemd-userdb.conf.in',
output : '20-systemd-userdb.conf',
command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
install_dir : libexecdir / 'sshd_config.d')
install_emptydir(sshdconfdir)
meson.add_install_script(sh, '-c',
ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))

View File

@ -0,0 +1,10 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

View File

@ -34,6 +34,7 @@ in_files = [['etc.conf', ''],
['static-nodes-permissions.conf', ''], ['static-nodes-permissions.conf', ''],
['systemd.conf', ''], ['systemd.conf', ''],
['var.conf', ''], ['var.conf', ''],
['20-systemd-userdb.conf', 'ENABLE_USERDB'],
] ]
foreach pair : in_files foreach pair : in_files