How do I extend openssh-service-type ?

DoneSubmitted by Oleg Pykhalov.
Details
3 participants
  • Edouard Klein
  • Oleg Pykhalov
  • Ludovic Courtès
Owner
unassigned
Severity
normal
O
O
Oleg Pykhalov wrote on 11 May 09:37 +0200
(name . Edouard Klein)(address . edk@beaver-labs.com)
87r150o6zj.fsf@gmail.com
Hi,

Edouard Klein <edk@beaver-labs.com> writes:

Toggle quote (11 lines)
> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
> (const `(("charlie"
> ,(local-file "charlie.pub")))))
> #+end_quote

[…]

Seems like extend-openssh-authorized-keys procedure does not use keys
argument. We could fix it like:
Toggle snippet (16 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 7fbbe383e5..4bb3969b95 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
(openssh-configuration
(inherit config)
(authorized-keys
- (match (openssh-configuration-authorized-keys config)
+ (match (append (openssh-configuration-authorized-keys config) keys)
(((users _ ...) ...)
;; Build a user/key-list mapping.
(let ((user-keys (alist->vhash


Oleg.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmJ7Z6AUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pzHPw//VzB3SKSjJRFcqWPZUljqh4n3XTOH
aX7USRHFUwfgUxXECz3+FoRCtCok/qqUCTFYOZIElpEpzp1J+qFM1Y6WKZ96JMAU
31TXjFT3vUNisrbGCaiyOKRAlwq38Ew+oL1uo9mf1VfC8LR6YEpB5YXnyHiy8oVQ
LvOtUZ2+2ae9Tq6nUKhW1cEGhP+LghCuxD3IlITnCMIF8W7DKCBbZd+7z5V71XL9
TD6/vEk7ygovb3Mtlip0DtYKz+288Js1xG0myASl7G0uULKCBx/mz97/FEiOQBvR
Kg4GESPwIGMKNHW6+uh1gU/+ZjC1W/sozXIDu95v3n9iLn/ZNzFoKNzayF/tYDCC
ui3090wP4IwlpBgYI/7ROy00Y4MTNPgrP00l5/GPqjNQLOvi6KX7bFtgsDfEqgar
RvUIKUmJkcbCLILYQl3JxFGv2uvh4NijTRUYRnIZcpCMsjHYahnfWYwTAiruOZ1y
hN42gJ1uQHyk2bcji55L2BM1qcCoeWfY2l6JH2V+B3/QGDzjmrE3JJ7qDwmfUaeE
mChPJkXIrLxCGlzEoXQiYMAs6/41hN6rIoYTaZciXRrF5oGvcheZAHSlMahaiRaR
205SlgkyZ4dRX8bhEWMNQ+21B/Ha/k5dVDd6R5uZJVIWQGuzssrQ7jKfvVbbF/I0
9zalSc1b7vIHS7g=
=1LmA
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 25 May 14:06 +0200
Re: bug#55359: How do I extend openssh-service-type ?
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
874k1dizph.fsf@gnu.org
Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

Toggle quote (17 lines)
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:
>
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 7fbbe383e5..4bb3969b95 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
> (openssh-configuration
> (inherit config)
> (authorized-keys
> - (match (openssh-configuration-authorized-keys config)
> + (match (append (openssh-configuration-authorized-keys config) keys)
> (((users _ ...) ...)
> ;; Build a user/key-list mapping.
> (let ((user-keys (alist->vhash

Indeed. Please push!

Thanks,
Ludo’.
O
O
Oleg Pykhalov wrote on 26 May 07:40 +0200
(address . 55359-done@debbugs.gnu.org)
87bkvk3l8o.fsf@gmail.com
Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (21 lines)
> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>>
>> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
>> index 7fbbe383e5..4bb3969b95 100644
>> --- a/gnu/services/ssh.scm
>> +++ b/gnu/services/ssh.scm
>> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>> (openssh-configuration
>> (inherit config)
>> (authorized-keys
>> - (match (openssh-configuration-authorized-keys config)
>> + (match (append (openssh-configuration-authorized-keys config) keys)
>> (((users _ ...) ...)
>> ;; Build a user/key-list mapping.
>> (let ((user-keys (alist->vhash
>
> Indeed. Please push!

Pushed as 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293.

Toggle quote (13 lines)
> Edouard Klein <edk@beaver-labs.com> writes:
>
> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
> (const `(("charlie"
> ,(local-file "charlie.pub")))))
> #+end_quote

Edouard, you should be able to extend the service after the ‘guix pull’.

Oleg.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmKPErcUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pyRkw/7BmSy7ZA2A9JUrX1Dzy3eejH/dwhu
rXf/VQtFcthmiOz4NcApvfC7XeMg5gnVD78PseHeu+q3j/thjimw8+UJvnNblYqw
XSjhRDBqvldbs29Gs5H49TAAlaXEkORZ+9bTyoHLRl/wJv0u+wghc7uSTPKsV3SC
GpAQteyUDe864QENymVq04QHeqtAfemmL5EGCqeKHEUbnDnY06qRXq3+k4Y2UWaL
L6QbU//Gu0/FbpMwakfwVloIqdSRuCE7KKZZhI29AX3tY1j8xc3SHuNDB3HJLpUe
klUv2wu5DRNH3xJaYGtttJ1L9pJI/iYqToVGmKDYPQGlJU/KoHJZBMNY2giQpc0t
uKEIJ0g61pPQt9GRD1W7jsAD4I5CIFFeyNptfORLYJop+SMTfKyFlObsyIzyHvlV
rPACui4yRf7YsIJB7Ylj3JMO1FGTF/8cAXBs8EdXyTSWm1kf3SwDkA4rfSgKK4U0
WAYzp4o75/somRJ5OfR2hxA8GGJb/64U9SMqBtcTYtzDbai3F31G9tO8SEJaLBo7
+Se+cz01GQq5btkozijK+1YK5LZ4wQpK6+WcenyTIUMVYti1EEHD9VTxeoCih1Lq
+9raZHAcOn6l6cuYB3IKu4vGncwB33IkII8YRIhd42m9EEjogVp3y0NZnfDPJ8Sa
qq0GnMQYRLdH478=
=/2xT
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 26 May 16:44 +0200
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
87ee0gfj4z.fsf@gnu.org
Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

Toggle quote (10 lines)
>> (service-extension openssh-service-type
>> (const `(("charlie"
>> ,(local-file "charlie.pub")))))
>> #+end_quote
>
> […]
>
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:

For the record, this bug (dismissing the ‘keys’ argument) was introduced
in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).

How come nobody noticed then?

The reason is that starting from
b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
would create an empty directory. That directory would then be copied by
‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
/etc/ssh/authorized_keys.d would typically already contain the relevant
keys, nothing bad would happen.

Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
another bug though: we’d create an authorized-key directory that
included keys brought by extensions, but each of these files would be
empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
associated with user names), which could lock yourself out.

Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b. Reconfiguration
recommended before you’re locked out!

Thanks,
Ludo’.
E
E
Edouard Klein wrote on 31 May 19:05 +0200
(name . Ludovic Courtès)(address . ludo@gnu.org)
87v8tl7hrz.fsf@rdklein.fr
Thank you both for solving this. I used a workaround for a while
(rsyncing the keys to /home/user/.ssh/authorized_keys). Now I can
confirm that the fixes work and I'm back to a declarative configuration
of my server, which is awesome !

Cheers,

Edouard.
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (37 lines)
> Hi,
>
> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>>> (service-extension openssh-service-type
>>> (const `(("charlie"
>>> ,(local-file "charlie.pub")))))
>>> #+end_quote
>>
>> […]
>>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>
> For the record, this bug (dismissing the ‘keys’ argument) was introduced
> in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
>
> How come nobody noticed then?
>
> The reason is that starting from
> b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
> would create an empty directory. That directory would then be copied by
> ‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
> /etc/ssh/authorized_keys.d would typically already contain the relevant
> keys, nothing bad would happen.
>
> Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
> another bug though: we’d create an authorized-key directory that
> included keys brought by extensions, but each of these files would be
> empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
> associated with user names), which could lock yourself out.
>
> Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b. Reconfiguration
> recommended before you’re locked out!
>
> Thanks,
> Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send email to 55359@debbugs.gnu.org