mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
userdbctl: enable ssh-authorized-keys logic by default
sshd now supports config file drop-ins, hence let's install one to hook up "userdb ssh-authorized-keys", so that things just work. We put the drop-in relatively early, so that other drop-ins generally will override this. Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but let's take what we can get. It's not that sshd's upstream was particularly open to weird ideas from Linux people.
This commit is contained in:
parent
ffc1ec73b3
commit
7e3607996a
3
TODO
3
TODO
@ -1004,9 +1004,6 @@ Features:
|
|||||||
file to move there, since it is managed by privileged code (i.e. homed) and
|
file to move there, since it is managed by privileged code (i.e. homed) and
|
||||||
not unprivileged code.
|
not unprivileged code.
|
||||||
|
|
||||||
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
|
|
||||||
that hooks up userdbctl ssh-key stuff.
|
|
||||||
|
|
||||||
* maybe add support for binding and connecting AF_UNIX sockets in the file
|
* maybe add support for binding and connecting AF_UNIX sockets in the file
|
||||||
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
|
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
|
||||||
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
|
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
|
||||||
|
@ -198,6 +198,11 @@ if pamconfdir == ''
|
|||||||
pamconfdir = prefixdir / 'lib/pam.d'
|
pamconfdir = prefixdir / 'lib/pam.d'
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
sshdconfdir = get_option('sshdconfdir')
|
||||||
|
if sshdconfdir == ''
|
||||||
|
sshdconfdir = sysconfdir / 'ssh/sshd_config.d'
|
||||||
|
endif
|
||||||
|
|
||||||
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
|
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
|
||||||
if libcryptsetup_plugins_dir == ''
|
if libcryptsetup_plugins_dir == ''
|
||||||
libcryptsetup_plugins_dir = libdir / 'cryptsetup'
|
libcryptsetup_plugins_dir = libdir / 'cryptsetup'
|
||||||
@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash)
|
|||||||
conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed')
|
conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed')
|
||||||
conf.set_quoted('RANDOM_SEED_DIR', randomseeddir)
|
conf.set_quoted('RANDOM_SEED_DIR', randomseeddir)
|
||||||
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
|
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
|
||||||
|
conf.set_quoted('SSHDCONFDIR', sshdconfdir)
|
||||||
conf.set_quoted('SYSCONF_DIR', sysconfdir)
|
conf.set_quoted('SYSCONF_DIR', sysconfdir)
|
||||||
conf.set_quoted('SYSCTL_DIR', sysctldir)
|
conf.set_quoted('SYSCTL_DIR', sysctldir)
|
||||||
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
|
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
|
||||||
@ -2676,6 +2682,7 @@ summary({
|
|||||||
'SysV rc?.d directories' : sysvrcnd_path,
|
'SysV rc?.d directories' : sysvrcnd_path,
|
||||||
'PAM modules directory' : pamlibdir,
|
'PAM modules directory' : pamlibdir,
|
||||||
'PAM configuration directory' : pamconfdir,
|
'PAM configuration directory' : pamconfdir,
|
||||||
|
'ssh configuration directory' : sshdconfdir,
|
||||||
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
|
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
|
||||||
'RPM macros directory' : rpmmacrosdir,
|
'RPM macros directory' : rpmmacrosdir,
|
||||||
'modprobe.d directory' : modprobedir,
|
'modprobe.d directory' : modprobedir,
|
||||||
|
@ -211,6 +211,8 @@ option('pamlibdir', type : 'string',
|
|||||||
description : 'directory for PAM modules')
|
description : 'directory for PAM modules')
|
||||||
option('pamconfdir', type : 'string',
|
option('pamconfdir', type : 'string',
|
||||||
description : 'directory for PAM configuration ["no" disables]')
|
description : 'directory for PAM configuration ["no" disables]')
|
||||||
|
option('sshdconfdir', type : 'string',
|
||||||
|
description : 'directory for SSH server configuration ["no" disables]')
|
||||||
option('libcryptsetup-plugins-dir', type : 'string',
|
option('libcryptsetup-plugins-dir', type : 'string',
|
||||||
description : 'directory for libcryptsetup plugins')
|
description : 'directory for libcryptsetup plugins')
|
||||||
option('docdir', type : 'string',
|
option('docdir', type : 'string',
|
||||||
|
6
src/userdb/20-systemd-userdb.conf.in
Normal file
6
src/userdb/20-systemd-userdb.conf.in
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||||
|
#
|
||||||
|
# Make sure SSH authorized keys recorded in user records can be consumed by SSH
|
||||||
|
#
|
||||||
|
AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
|
||||||
|
AuthorizedKeysCommandUser root
|
@ -23,3 +23,16 @@ executables += [
|
|||||||
'dependencies' : threads,
|
'dependencies' : threads,
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
|
|
||||||
|
custom_target(
|
||||||
|
'20-systemd-userdb.conf',
|
||||||
|
input : '20-systemd-userdb.conf.in',
|
||||||
|
output : '20-systemd-userdb.conf',
|
||||||
|
command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
|
||||||
|
install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
|
||||||
|
install_dir : libexecdir / 'sshd_config.d')
|
||||||
|
|
||||||
|
install_emptydir(sshdconfdir)
|
||||||
|
|
||||||
|
meson.add_install_script(sh, '-c',
|
||||||
|
ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))
|
||||||
|
10
tmpfiles.d/20-systemd-userdb.conf.in
Normal file
10
tmpfiles.d/20-systemd-userdb.conf.in
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
# This file is part of systemd.
|
||||||
|
#
|
||||||
|
# systemd is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU Lesser General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2.1 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
|
||||||
|
# See tmpfiles.d(5) for details
|
||||||
|
|
||||||
|
L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf
|
@ -34,6 +34,7 @@ in_files = [['etc.conf', ''],
|
|||||||
['static-nodes-permissions.conf', ''],
|
['static-nodes-permissions.conf', ''],
|
||||||
['systemd.conf', ''],
|
['systemd.conf', ''],
|
||||||
['var.conf', ''],
|
['var.conf', ''],
|
||||||
|
['20-systemd-userdb.conf', 'ENABLE_USERDB'],
|
||||||
]
|
]
|
||||||
|
|
||||||
foreach pair : in_files
|
foreach pair : in_files
|
||||||
|
Loading…
Reference in New Issue
Block a user