1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-09 01:18:19 +03:00

userdbctl: enable ssh-authorized-keys logic by default

sshd now supports config file drop-ins, hence let's install one to hook
up "userdb ssh-authorized-keys", so that things just work.

We put the drop-in relatively early, so that other drop-ins generally
will override this.

Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but
let's take what we can get. It's not that sshd's upstream was
particularly open to weird ideas from Linux people.
This commit is contained in:
Lennart Poettering 2023-11-16 18:47:52 +01:00
parent ffc1ec73b3
commit 7e3607996a
7 changed files with 39 additions and 3 deletions

3
TODO
View File

@ -1004,9 +1004,6 @@ Features:
file to move there, since it is managed by privileged code (i.e. homed) and
not unprivileged code.
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
that hooks up userdbctl ssh-key stuff.
* maybe add support for binding and connecting AF_UNIX sockets in the file
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink

View File

@ -198,6 +198,11 @@ if pamconfdir == ''
pamconfdir = prefixdir / 'lib/pam.d'
endif
sshdconfdir = get_option('sshdconfdir')
if sshdconfdir == ''
sshdconfdir = sysconfdir / 'ssh/sshd_config.d'
endif
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
if libcryptsetup_plugins_dir == ''
libcryptsetup_plugins_dir = libdir / 'cryptsetup'
@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash)
conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed')
conf.set_quoted('RANDOM_SEED_DIR', randomseeddir)
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
conf.set_quoted('SSHDCONFDIR', sshdconfdir)
conf.set_quoted('SYSCONF_DIR', sysconfdir)
conf.set_quoted('SYSCTL_DIR', sysctldir)
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
@ -2676,6 +2682,7 @@ summary({
'SysV rc?.d directories' : sysvrcnd_path,
'PAM modules directory' : pamlibdir,
'PAM configuration directory' : pamconfdir,
'ssh configuration directory' : sshdconfdir,
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
'RPM macros directory' : rpmmacrosdir,
'modprobe.d directory' : modprobedir,

View File

@ -211,6 +211,8 @@ option('pamlibdir', type : 'string',
description : 'directory for PAM modules')
option('pamconfdir', type : 'string',
description : 'directory for PAM configuration ["no" disables]')
option('sshdconfdir', type : 'string',
description : 'directory for SSH server configuration ["no" disables]')
option('libcryptsetup-plugins-dir', type : 'string',
description : 'directory for libcryptsetup plugins')
option('docdir', type : 'string',

View File

@ -0,0 +1,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
#
# Make sure SSH authorized keys recorded in user records can be consumed by SSH
#
AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
AuthorizedKeysCommandUser root

View File

@ -23,3 +23,16 @@ executables += [
'dependencies' : threads,
},
]
custom_target(
'20-systemd-userdb.conf',
input : '20-systemd-userdb.conf.in',
output : '20-systemd-userdb.conf',
command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
install_dir : libexecdir / 'sshd_config.d')
install_emptydir(sshdconfdir)
meson.add_install_script(sh, '-c',
ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))

View File

@ -0,0 +1,10 @@
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See tmpfiles.d(5) for details
L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

View File

@ -34,6 +34,7 @@ in_files = [['etc.conf', ''],
['static-nodes-permissions.conf', ''],
['systemd.conf', ''],
['var.conf', ''],
['20-systemd-userdb.conf', 'ENABLE_USERDB'],
]
foreach pair : in_files