How do I extend openssh-service-type ?

  • Done
  • quality assurance status badge
Details
3 participants
  • Edouard Klein
  • Oleg Pykhalov
  • Ludovic Courtès
Owner
unassigned
Submitted by
Oleg Pykhalov
Severity
normal
O
O
Oleg Pykhalov wrote on 11 May 2022 09:37
(name . Edouard Klein)(address . edk@beaver-labs.com)
87r150o6zj.fsf@gmail.com
Hi,

Edouard Klein <edk@beaver-labs.com> writes:

Toggle quote (11 lines)
> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
> (const `(("charlie"
> ,(local-file "charlie.pub")))))
> #+end_quote

[…]

Seems like extend-openssh-authorized-keys procedure does not use keys
argument. We could fix it like:
Toggle snippet (16 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 7fbbe383e5..4bb3969b95 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
(openssh-configuration
(inherit config)
(authorized-keys
- (match (openssh-configuration-authorized-keys config)
+ (match (append (openssh-configuration-authorized-keys config) keys)
(((users _ ...) ...)
;; Build a user/key-list mapping.
(let ((user-keys (alist->vhash


Oleg.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmJ7Z6AUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pzHPw//VzB3SKSjJRFcqWPZUljqh4n3XTOH
aX7USRHFUwfgUxXECz3+FoRCtCok/qqUCTFYOZIElpEpzp1J+qFM1Y6WKZ96JMAU
31TXjFT3vUNisrbGCaiyOKRAlwq38Ew+oL1uo9mf1VfC8LR6YEpB5YXnyHiy8oVQ
LvOtUZ2+2ae9Tq6nUKhW1cEGhP+LghCuxD3IlITnCMIF8W7DKCBbZd+7z5V71XL9
TD6/vEk7ygovb3Mtlip0DtYKz+288Js1xG0myASl7G0uULKCBx/mz97/FEiOQBvR
Kg4GESPwIGMKNHW6+uh1gU/+ZjC1W/sozXIDu95v3n9iLn/ZNzFoKNzayF/tYDCC
ui3090wP4IwlpBgYI/7ROy00Y4MTNPgrP00l5/GPqjNQLOvi6KX7bFtgsDfEqgar
RvUIKUmJkcbCLILYQl3JxFGv2uvh4NijTRUYRnIZcpCMsjHYahnfWYwTAiruOZ1y
hN42gJ1uQHyk2bcji55L2BM1qcCoeWfY2l6JH2V+B3/QGDzjmrE3JJ7qDwmfUaeE
mChPJkXIrLxCGlzEoXQiYMAs6/41hN6rIoYTaZciXRrF5oGvcheZAHSlMahaiRaR
205SlgkyZ4dRX8bhEWMNQ+21B/Ha/k5dVDd6R5uZJVIWQGuzssrQ7jKfvVbbF/I0
9zalSc1b7vIHS7g=
=1LmA
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 25 May 2022 14:06
Re: bug#55359: How do I extend openssh-service-type ?
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
874k1dizph.fsf@gnu.org
Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

Toggle quote (17 lines)
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:
>
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 7fbbe383e5..4bb3969b95 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
> (openssh-configuration
> (inherit config)
> (authorized-keys
> - (match (openssh-configuration-authorized-keys config)
> + (match (append (openssh-configuration-authorized-keys config) keys)
> (((users _ ...) ...)
> ;; Build a user/key-list mapping.
> (let ((user-keys (alist->vhash

Indeed. Please push!

Thanks,
Ludo’.
O
O
Oleg Pykhalov wrote on 26 May 2022 07:40
(address . 55359-done@debbugs.gnu.org)
87bkvk3l8o.fsf@gmail.com
Hi,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (21 lines)
> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>>
>> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
>> index 7fbbe383e5..4bb3969b95 100644
>> --- a/gnu/services/ssh.scm
>> +++ b/gnu/services/ssh.scm
>> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>> (openssh-configuration
>> (inherit config)
>> (authorized-keys
>> - (match (openssh-configuration-authorized-keys config)
>> + (match (append (openssh-configuration-authorized-keys config) keys)
>> (((users _ ...) ...)
>> ;; Build a user/key-list mapping.
>> (let ((user-keys (alist->vhash
>
> Indeed. Please push!

Pushed as 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293.

Toggle quote (13 lines)
> Edouard Klein <edk@beaver-labs.com> writes:
>
> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
> (const `(("charlie"
> ,(local-file "charlie.pub")))))
> #+end_quote

Edouard, you should be able to extend the service after the ‘guix pull’.

Oleg.
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEcjhxI46s62NFSFhXFn+OpQAa+pwFAmKPErcUHGdvLndpZ3Vz
dEBnbWFpbC5jb20ACgkQFn+OpQAa+pyRkw/7BmSy7ZA2A9JUrX1Dzy3eejH/dwhu
rXf/VQtFcthmiOz4NcApvfC7XeMg5gnVD78PseHeu+q3j/thjimw8+UJvnNblYqw
XSjhRDBqvldbs29Gs5H49TAAlaXEkORZ+9bTyoHLRl/wJv0u+wghc7uSTPKsV3SC
GpAQteyUDe864QENymVq04QHeqtAfemmL5EGCqeKHEUbnDnY06qRXq3+k4Y2UWaL
L6QbU//Gu0/FbpMwakfwVloIqdSRuCE7KKZZhI29AX3tY1j8xc3SHuNDB3HJLpUe
klUv2wu5DRNH3xJaYGtttJ1L9pJI/iYqToVGmKDYPQGlJU/KoHJZBMNY2giQpc0t
uKEIJ0g61pPQt9GRD1W7jsAD4I5CIFFeyNptfORLYJop+SMTfKyFlObsyIzyHvlV
rPACui4yRf7YsIJB7Ylj3JMO1FGTF/8cAXBs8EdXyTSWm1kf3SwDkA4rfSgKK4U0
WAYzp4o75/somRJ5OfR2hxA8GGJb/64U9SMqBtcTYtzDbai3F31G9tO8SEJaLBo7
+Se+cz01GQq5btkozijK+1YK5LZ4wQpK6+WcenyTIUMVYti1EEHD9VTxeoCih1Lq
+9raZHAcOn6l6cuYB3IKu4vGncwB33IkII8YRIhd42m9EEjogVp3y0NZnfDPJ8Sa
qq0GnMQYRLdH478=
=/2xT
-----END PGP SIGNATURE-----

Closed
L
L
Ludovic Courtès wrote on 26 May 2022 16:44
(name . Oleg Pykhalov)(address . go.wigust@gmail.com)
87ee0gfj4z.fsf@gnu.org
Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

Toggle quote (10 lines)
>> (service-extension openssh-service-type
>> (const `(("charlie"
>> ,(local-file "charlie.pub")))))
>> #+end_quote
>
> […]
>
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:

For the record, this bug (dismissing the ‘keys’ argument) was introduced
in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).

How come nobody noticed then?

The reason is that starting from
b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
would create an empty directory. That directory would then be copied by
‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
/etc/ssh/authorized_keys.d would typically already contain the relevant
keys, nothing bad would happen.

Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
another bug though: we’d create an authorized-key directory that
included keys brought by extensions, but each of these files would be
empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
associated with user names), which could lock yourself out.

Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b. Reconfiguration
recommended before you’re locked out!

Thanks,
Ludo’.
E
E
Edouard Klein wrote on 31 May 2022 19:05
(name . Ludovic Courtès)(address . ludo@gnu.org)
87v8tl7hrz.fsf@rdklein.fr
Thank you both for solving this. I used a workaround for a while
(rsyncing the keys to /home/user/.ssh/authorized_keys). Now I can
confirm that the fixes work and I'm back to a declarative configuration
of my server, which is awesome !

Cheers,

Edouard.
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (37 lines)
> Hi,
>
> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>>> (service-extension openssh-service-type
>>> (const `(("charlie"
>>> ,(local-file "charlie.pub")))))
>>> #+end_quote
>>
>> […]
>>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>
> For the record, this bug (dismissing the ‘keys’ argument) was introduced
> in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
>
> How come nobody noticed then?
>
> The reason is that starting from
> b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
> would create an empty directory. That directory would then be copied by
> ‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
> /etc/ssh/authorized_keys.d would typically already contain the relevant
> keys, nothing bad would happen.
>
> Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
> another bug though: we’d create an authorized-key directory that
> included keys brought by extensions, but each of these files would be
> empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
> associated with user names), which could lock yourself out.
>
> Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b. Reconfiguration
> recommended before you’re locked out!
>
> Thanks,
> Ludo’.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 55359@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 55359
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch