mirror of
https://github.com/systemd/systemd.git
synced 2025-01-09 01:18:19 +03:00
userdbctl: enable ssh-authorized-keys logic by default
sshd now supports config file drop-ins, hence let's install one to hook up "userdb ssh-authorized-keys", so that things just work. We put the drop-in relatively early, so that other drop-ins generally will override this. Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but let's take what we can get. It's not that sshd's upstream was particularly open to weird ideas from Linux people.
This commit is contained in:
parent
ffc1ec73b3
commit
7e3607996a
3
TODO
3
TODO
@ -1004,9 +1004,6 @@ Features:
|
||||
file to move there, since it is managed by privileged code (i.e. homed) and
|
||||
not unprivileged code.
|
||||
|
||||
* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
|
||||
that hooks up userdbctl ssh-key stuff.
|
||||
|
||||
* maybe add support for binding and connecting AF_UNIX sockets in the file
|
||||
system outside of the 108ch limit. When connecting, open O_PATH fd to socket
|
||||
inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink
|
||||
|
@ -198,6 +198,11 @@ if pamconfdir == ''
|
||||
pamconfdir = prefixdir / 'lib/pam.d'
|
||||
endif
|
||||
|
||||
sshdconfdir = get_option('sshdconfdir')
|
||||
if sshdconfdir == ''
|
||||
sshdconfdir = sysconfdir / 'ssh/sshd_config.d'
|
||||
endif
|
||||
|
||||
libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
|
||||
if libcryptsetup_plugins_dir == ''
|
||||
libcryptsetup_plugins_dir = libdir / 'cryptsetup'
|
||||
@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH', prefixdir_noslash)
|
||||
conf.set_quoted('RANDOM_SEED', randomseeddir / 'random-seed')
|
||||
conf.set_quoted('RANDOM_SEED_DIR', randomseeddir)
|
||||
conf.set_quoted('RC_LOCAL_PATH', get_option('rc-local'))
|
||||
conf.set_quoted('SSHDCONFDIR', sshdconfdir)
|
||||
conf.set_quoted('SYSCONF_DIR', sysconfdir)
|
||||
conf.set_quoted('SYSCTL_DIR', sysctldir)
|
||||
conf.set_quoted('SYSTEMCTL_BINARY_PATH', bindir / 'systemctl')
|
||||
@ -2676,6 +2682,7 @@ summary({
|
||||
'SysV rc?.d directories' : sysvrcnd_path,
|
||||
'PAM modules directory' : pamlibdir,
|
||||
'PAM configuration directory' : pamconfdir,
|
||||
'ssh configuration directory' : sshdconfdir,
|
||||
'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
|
||||
'RPM macros directory' : rpmmacrosdir,
|
||||
'modprobe.d directory' : modprobedir,
|
||||
|
@ -211,6 +211,8 @@ option('pamlibdir', type : 'string',
|
||||
description : 'directory for PAM modules')
|
||||
option('pamconfdir', type : 'string',
|
||||
description : 'directory for PAM configuration ["no" disables]')
|
||||
option('sshdconfdir', type : 'string',
|
||||
description : 'directory for SSH server configuration ["no" disables]')
|
||||
option('libcryptsetup-plugins-dir', type : 'string',
|
||||
description : 'directory for libcryptsetup plugins')
|
||||
option('docdir', type : 'string',
|
||||
|
6
src/userdb/20-systemd-userdb.conf.in
Normal file
6
src/userdb/20-systemd-userdb.conf.in
Normal file
@ -0,0 +1,6 @@
|
||||
# SPDX-License-Identifier: LGPL-2.1-or-later
|
||||
#
|
||||
# Make sure SSH authorized keys recorded in user records can be consumed by SSH
|
||||
#
|
||||
AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
|
||||
AuthorizedKeysCommandUser root
|
@ -23,3 +23,16 @@ executables += [
|
||||
'dependencies' : threads,
|
||||
},
|
||||
]
|
||||
|
||||
custom_target(
|
||||
'20-systemd-userdb.conf',
|
||||
input : '20-systemd-userdb.conf.in',
|
||||
output : '20-systemd-userdb.conf',
|
||||
command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
|
||||
install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
|
||||
install_dir : libexecdir / 'sshd_config.d')
|
||||
|
||||
install_emptydir(sshdconfdir)
|
||||
|
||||
meson.add_install_script(sh, '-c',
|
||||
ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))
|
||||
|
10
tmpfiles.d/20-systemd-userdb.conf.in
Normal file
10
tmpfiles.d/20-systemd-userdb.conf.in
Normal file
@ -0,0 +1,10 @@
|
||||
# This file is part of systemd.
|
||||
#
|
||||
# systemd is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU Lesser General Public License as published by
|
||||
# the Free Software Foundation; either version 2.1 of the License, or
|
||||
# (at your option) any later version.
|
||||
|
||||
# See tmpfiles.d(5) for details
|
||||
|
||||
L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf
|
@ -34,6 +34,7 @@ in_files = [['etc.conf', ''],
|
||||
['static-nodes-permissions.conf', ''],
|
||||
['systemd.conf', ''],
|
||||
['var.conf', ''],
|
||||
['20-systemd-userdb.conf', 'ENABLE_USERDB'],
|
||||
]
|
||||
|
||||
foreach pair : in_files
|
||||
|
Loading…
Reference in New Issue
Block a user