From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:45505) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1daM6h-0005HE-Rb for guix-patches@gnu.org; Wed, 26 Jul 2017 09:12:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1daM6c-0007I8-Ud for guix-patches@gnu.org; Wed, 26 Jul 2017 09:12:07 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:54147) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1daM6c-0007I3-Qi for guix-patches@gnu.org; Wed, 26 Jul 2017 09:12:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1daM6c-0006Z6-Fw for guix-patches@gnu.org; Wed, 26 Jul 2017 09:12:02 -0400 Subject: [bug#27837] [PATCH 0/1] SSH service supports the definition of authorized keys Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44963) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1daM5h-0004Se-OH for guix-patches@gnu.org; Wed, 26 Jul 2017 09:11:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1daM5g-0006ts-Ul for guix-patches@gnu.org; Wed, 26 Jul 2017 09:11:05 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Wed, 26 Jul 2017 15:10:48 +0200 Message-Id: <20170726131048.9603-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 27837@debbugs.gnu.org Hello! This patch adds an 'authorized-keys' field to 'openssh-configuration', which allows users to define per-user authorized keys. There are some shenanigans due to the fact that 'sshd' ignores authorized key files that are more than owner-writable, or that have a parent directory that is more than owner-writable. Since /gnu/store is group-writable (for "guixbuild"), we have to copy the authorized-key directory to /etc/ssh and set the right permissions there. Eventually, I'd like to make 'openssh-service-type' extensible with more authorized keys, which we can use to implement things like the "sysadmin" API we have for the build farm. Thoughts? Thanks, Ludo'. Ludovic Courtès (1): services: openssh: Add 'authorized-keys' field. doc/guix.texi | 24 +++++++++++++-- gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 91 insertions(+), 19 deletions(-) -- 2.13.3