unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
* How do I extend openssh-service-type ?
@ 2022-05-10 21:07 Edouard Klein
  2022-05-11  7:37 ` bug#55359: " Oleg Pykhalov
  0 siblings, 1 reply; 5+ messages in thread
From: Edouard Klein @ 2022-05-10 21:07 UTC (permalink / raw)
  To: help-guix

Hi !

I'm trying to make sense of:
https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype

#+begin_quote
This service can be extended with extra authorized keys, as in this example:

(service-extension openssh-service-type
                   (const `(("charlie"
                             ,(local-file "charlie.pub")))))
#+end_quote

My goal is to do exactly that: add a public key to a user of an
operating system whose openssh-service-type is already configured
elsewhere.

I can do it by going to this "elsewhere" and adding the

("charlie"  ,(local-file "charlie.pub"))

in the authorized-keys field of the openssh-configuration, but when I
try to extend the service, the key is just ignored and does not appear
in /etc/ssh/authorized-keys.d/

I've tried adding a simple-service to the operating-system declaration
like so:

#+begin_src scheme
  (simple-service
   (format #f "ssh keys for user ~a" "toto")
   openssh-service-type
   (list
    `("toto" ,(local-file "toto.pub"))))
#+end_src

I also tried the verbose version:

#+begin_src scheme
 (service (service-type
                  (name 'tamereenslip)
                  (extensions
                   (list
                    (service-extension openssh-service-type
                                       (const `(("toto"
                                                 ,(local-file "toto.pub")))))))) #f)
#+end_src

I'm at my wit's end. I could not find any examples online or by grepping
the source code.

Has anybody ever been successful in extending the openssh-service ? If
so, could I please see your code ?

Thanks,

Edouard.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#55359: How do I extend openssh-service-type ?
  2022-05-10 21:07 How do I extend openssh-service-type ? Edouard Klein
@ 2022-05-11  7:37 ` Oleg Pykhalov
  2022-05-25 12:06   ` Ludovic Courtès
  2022-05-26 14:44   ` Ludovic Courtès
  0 siblings, 2 replies; 5+ messages in thread
From: Oleg Pykhalov @ 2022-05-11  7:37 UTC (permalink / raw)
  To: Edouard Klein; +Cc: 55359, help-guix

[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]

Hi,

Edouard Klein <edk@beaver-labs.com> writes:

> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
>                    (const `(("charlie"
>                              ,(local-file "charlie.pub")))))
> #+end_quote

[…]

Seems like extend-openssh-authorized-keys procedure does not use keys
argument. We could fix it like:
--8<---------------cut here---------------start------------->8---
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 7fbbe383e5..4bb3969b95 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
   (openssh-configuration
    (inherit config)
    (authorized-keys
-    (match (openssh-configuration-authorized-keys config)
+    (match (append (openssh-configuration-authorized-keys config) keys)
       (((users _ ...) ...)
        ;; Build a user/key-list mapping.
        (let ((user-keys (alist->vhash
--8<---------------cut here---------------end--------------->8---


Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#55359: How do I extend openssh-service-type ?
  2022-05-11  7:37 ` bug#55359: " Oleg Pykhalov
@ 2022-05-25 12:06   ` Ludovic Courtès
  2022-05-26 14:44   ` Ludovic Courtès
  1 sibling, 0 replies; 5+ messages in thread
From: Ludovic Courtès @ 2022-05-25 12:06 UTC (permalink / raw)
  To: Oleg Pykhalov; +Cc: 55359, help-guix, Edouard Klein

Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:
>
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 7fbbe383e5..4bb3969b95 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>    (openssh-configuration
>     (inherit config)
>     (authorized-keys
> -    (match (openssh-configuration-authorized-keys config)
> +    (match (append (openssh-configuration-authorized-keys config) keys)
>        (((users _ ...) ...)
>         ;; Build a user/key-list mapping.
>         (let ((user-keys (alist->vhash

Indeed.  Please push!

Thanks,
Ludo’.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: bug#55359: How do I extend openssh-service-type ?
  2022-05-11  7:37 ` bug#55359: " Oleg Pykhalov
  2022-05-25 12:06   ` Ludovic Courtès
@ 2022-05-26 14:44   ` Ludovic Courtès
  2022-05-31 17:05     ` Edouard Klein
  1 sibling, 1 reply; 5+ messages in thread
From: Ludovic Courtès @ 2022-05-26 14:44 UTC (permalink / raw)
  To: Oleg Pykhalov; +Cc: Edouard Klein, 55359, help-guix

Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

>> (service-extension openssh-service-type
>>                    (const `(("charlie"
>>                              ,(local-file "charlie.pub")))))
>> #+end_quote
>
> […]
>
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:

For the record, this bug (dismissing the ‘keys’ argument) was introduced
in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).

How come nobody noticed then?

The reason is that starting from
b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
would create an empty directory.  That directory would then be copied by
‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
/etc/ssh/authorized_keys.d would typically already contain the relevant
keys, nothing bad would happen.

Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
another bug though: we’d create an authorized-key directory that
included keys brought by extensions, but each of these files would be
empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
associated with user names), which could lock yourself out.

Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
recommended before you’re locked out!

Thanks,
Ludo’.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: bug#55359: How do I extend openssh-service-type ?
  2022-05-26 14:44   ` Ludovic Courtès
@ 2022-05-31 17:05     ` Edouard Klein
  0 siblings, 0 replies; 5+ messages in thread
From: Edouard Klein @ 2022-05-31 17:05 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Oleg Pykhalov, 55359, help-guix

Thank you both for solving this. I used a workaround for a while
(rsyncing the keys to /home/user/.ssh/authorized_keys). Now I can
confirm that the fixes work and I'm back to a declarative configuration
of my server, which is awesome !

Cheers,

Edouard.
Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>>> (service-extension openssh-service-type
>>>                    (const `(("charlie"
>>>                              ,(local-file "charlie.pub")))))
>>> #+end_quote
>>
>> […]
>>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>
> For the record, this bug (dismissing the ‘keys’ argument) was introduced
> in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
>
> How come nobody noticed then?
>
> The reason is that starting from
> b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
> would create an empty directory.  That directory would then be copied by
> ‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
> /etc/ssh/authorized_keys.d would typically already contain the relevant
> keys, nothing bad would happen.
>
> Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
> another bug though: we’d create an authorized-key directory that
> included keys brought by extensions, but each of these files would be
> empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
> associated with user names), which could lock yourself out.
>
> Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
> recommended before you’re locked out!
>
> Thanks,
> Ludo’.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-05-31 17:08 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-10 21:07 How do I extend openssh-service-type ? Edouard Klein
2022-05-11  7:37 ` bug#55359: " Oleg Pykhalov
2022-05-25 12:06   ` Ludovic Courtès
2022-05-26 14:44   ` Ludovic Courtès
2022-05-31 17:05     ` Edouard Klein

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).