From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:34007) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1daMYj-0006X5-SD for guix-patches@gnu.org; Wed, 26 Jul 2017 09:41:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1daMYf-0007w6-VL for guix-patches@gnu.org; Wed, 26 Jul 2017 09:41:05 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:54180) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1daMYf-0007w2-Rw for guix-patches@gnu.org; Wed, 26 Jul 2017 09:41:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1daMYf-0007FV-M4 for guix-patches@gnu.org; Wed, 26 Jul 2017 09:41:01 -0400 Subject: [bug#27837] [PATCH 0/1] SSH service supports the definition of authorized keys Resent-Message-ID: Date: Wed, 26 Jul 2017 13:39:50 +0000 From: ng0 Message-ID: <20170726133950.p6saprt5defbmjpd@abyayala> References: <20170726131048.9603-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wfb5nfcop5l3wezq" Content-Disposition: inline In-Reply-To: <20170726131048.9603-1-ludo@gnu.org> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 27837@debbugs.gnu.org --wfb5nfcop5l3wezq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Ludovic Court=C3=A8s transcribed 0.9K bytes: > Hello! >=20 > This patch adds an 'authorized-keys' field to 'openssh-configuration', > which allows users to define per-user authorized keys. >=20 > There are some shenanigans due to the fact that 'sshd' ignores > authorized key files that are more than owner-writable, or that have a > parent directory that is more than owner-writable. Since /gnu/store is > group-writable (for "guixbuild"), we have to copy the authorized-key > directory to /etc/ssh and set the right permissions there. >=20 > Eventually, I'd like to make 'openssh-service-type' extensible with more > authorized keys, which we can use to implement things like the > "sysadmin" API we have for the build farm. >=20 > Thoughts? Nice! I have to use it to see if I like it, but the theory is good. I'll reconfigure a system with this tomorrow. > Thanks, > Ludo'. >=20 > Ludovic Court=C3=A8s (1): > services: openssh: Add 'authorized-keys' field. >=20 > doc/guix.texi | 24 +++++++++++++-- > gnu/services/ssh.scm | 86 +++++++++++++++++++++++++++++++++++++++++-----= ------ > 2 files changed, 91 insertions(+), 19 deletions(-) >=20 > --=20 > 2.13.3 >=20 >=20 >=20 >=20 >=20 --=20 ng0 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://n0is.noblogs.org/my-keys https://www.infotropique.org https://krosos.org --wfb5nfcop5l3wezq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAll4m6YACgkQ4i+bv+40 hYhC2g/+JRS9tn+B/jHpoGc62Fe9aCnhA83wD16c9IrKIfDSf8fX2vX/s09gfbhw sQD3UOWBHCFZxDHJdvHiYDpikJCIq9CRIo3b1V4qhDfcwiBOJD+aXOvcv+7hW2ZV atURiJjHacws61Etdmjyl+5xFF8wb9pghettfN+sirJYJnRqWYaZfJwcD9Ez10b+ CTOvF15tusafqljadNLDbqd/ZaGcKYSpxa/2TiNk9iFztBFlQ5CsPYx2EAjjg27r YgbnpRPrvSKvZvCrWK2bSV+iswCcKGaxFeaYAf9WU+Xrz4EoPw2Fe4j/pEc3HVMK /P3X4nf4aJY3drcQ3TIw925FIISQinMW4Hd+iG9Gzw2+775NeZLJ4QgwbrkT6glN Uu2cNUvJ44mlQGAY3qB+ByricbpiwMayPHoe8+eropymXRskXIZcoUIahiuDzXd6 dv160N55aL7gRZidj/7dpmQr+ZwNPcMxykeZbuZ8G5sP20WPkgTZhnzCd5hLMYH+ dp14VpNp7l8GNAfWW4fTutO0lm2L1to4tN4ngaO88aw4UccvwJ2kcLg7sV7ILvbc gCauia1h1jQkqfNP6nugvNNzy7m74VVlxpmSSUEdLpx+D4SXrzUXF9bOwcctp9ZP a9QCBhyrItbCtZ7vSHFyvZpstC3kgmhQ+UrsVggBjGPvQerYKoo= =E+QP -----END PGP SIGNATURE----- --wfb5nfcop5l3wezq--