How do I extend openssh-service-type ?

How do I extend openssh-service-type ?

[Edouard Klein]

Hi !

I'm trying to make sense of:
https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype

#+begin_quote
This service can be extended with extra authorized keys, as in this example:

(service-extension openssh-service-type
                   (const `(("charlie"
                             ,(local-file "charlie.pub")))))
#+end_quote

My goal is to do exactly that: add a public key to a user of an
operating system whose openssh-service-type is already configured
elsewhere.

I can do it by going to this "elsewhere" and adding the

("charlie"  ,(local-file "charlie.pub"))

in the authorized-keys field of the openssh-configuration, but when I
try to extend the service, the key is just ignored and does not appear
in /etc/ssh/authorized-keys.d/

I've tried adding a simple-service to the operating-system declaration
like so:

#+begin_src scheme
  (simple-service
   (format #f "ssh keys for user ~a" "toto")
   openssh-service-type
   (list
    `("toto" ,(local-file "toto.pub"))))
#+end_src

I also tried the verbose version:

#+begin_src scheme
 (service (service-type
                  (name 'tamereenslip)
                  (extensions
                   (list
                    (service-extension openssh-service-type
                                       (const `(("toto"
                                                 ,(local-file "toto.pub")))))))) #f)
#+end_src

I'm at my wit's end. I could not find any examples online or by grepping
the source code.

Has anybody ever been successful in extending the openssh-service ? If
so, could I please see your code ?

Thanks,

Edouard.

bug#55359: How do I extend openssh-service-type ?

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]

Hi,

Edouard Klein <edk@beaver-labs.com> writes:

> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
>                    (const `(("charlie"
>                              ,(local-file "charlie.pub")))))
> #+end_quote

[…]

Seems like extend-openssh-authorized-keys procedure does not use keys
argument. We could fix it like:
--8<---------------cut here---------------start------------->8---
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 7fbbe383e5..4bb3969b95 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
   (openssh-configuration
    (inherit config)
    (authorized-keys
-    (match (openssh-configuration-authorized-keys config)
+    (match (append (openssh-configuration-authorized-keys config) keys)
       (((users _ ...) ...)
        ;; Build a user/key-list mapping.
        (let ((user-keys (alist->vhash
--8<---------------cut here---------------end--------------->8---


Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

bug#55359: How do I extend openssh-service-type ?

[Ludovic Courtès]

Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:
>
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 7fbbe383e5..4bb3969b95 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>    (openssh-configuration
>     (inherit config)
>     (authorized-keys
> -    (match (openssh-configuration-authorized-keys config)
> +    (match (append (openssh-configuration-authorized-keys config) keys)
>        (((users _ ...) ...)
>         ;; Build a user/key-list mapping.
>         (let ((user-keys (alist->vhash

Indeed.  Please push!

Thanks,
Ludo’.

bug#55359: How do I extend openssh-service-type ?

[Oleg Pykhalov]

[-- Attachment #1: Type: text/plain, Size: 1398 bytes --]

Hi,

Ludovic Courtès <ludo@gnu.org> writes:

> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>>
>> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
>> index 7fbbe383e5..4bb3969b95 100644
>> --- a/gnu/services/ssh.scm
>> +++ b/gnu/services/ssh.scm
>> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>>    (openssh-configuration
>>     (inherit config)
>>     (authorized-keys
>> -    (match (openssh-configuration-authorized-keys config)
>> +    (match (append (openssh-configuration-authorized-keys config) keys)
>>        (((users _ ...) ...)
>>         ;; Build a user/key-list mapping.
>>         (let ((user-keys (alist->vhash
>
> Indeed.  Please push!

Pushed as 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293.

> Edouard Klein <edk@beaver-labs.com> writes:
>
> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
>                    (const `(("charlie"
>                              ,(local-file "charlie.pub")))))
> #+end_quote

Edouard, you should be able to extend the service after the ‘guix pull’.

Oleg.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 861 bytes --]

Re: bug#55359: How do I extend openssh-service-type ?

[Ludovic Courtès]

Hi,

Oleg Pykhalov <go.wigust@gmail.com> skribis:

>> (service-extension openssh-service-type
>>                    (const `(("charlie"
>>                              ,(local-file "charlie.pub")))))
>> #+end_quote
>
> […]
>
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:

For the record, this bug (dismissing the ‘keys’ argument) was introduced
in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).

How come nobody noticed then?

The reason is that starting from
b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
would create an empty directory.  That directory would then be copied by
‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
/etc/ssh/authorized_keys.d would typically already contain the relevant
keys, nothing bad would happen.

Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
another bug though: we’d create an authorized-key directory that
included keys brought by extensions, but each of these files would be
empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
associated with user names), which could lock yourself out.

Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
recommended before you’re locked out!

Thanks,
Ludo’.

Re: bug#55359: How do I extend openssh-service-type ?

[Edouard Klein]

Thank you both for solving this. I used a workaround for a while
(rsyncing the keys to /home/user/.ssh/authorized_keys). Now I can
confirm that the fixes work and I'm back to a declarative configuration
of my server, which is awesome !

Cheers,

Edouard.
Ludovic Courtès <ludo@gnu.org> writes:

> Hi,
>
> Oleg Pykhalov <go.wigust@gmail.com> skribis:
>
>>> (service-extension openssh-service-type
>>>                    (const `(("charlie"
>>>                              ,(local-file "charlie.pub")))))
>>> #+end_quote
>>
>> […]
>>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>
> For the record, this bug (dismissing the ‘keys’ argument) was introduced
> in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
>
> How come nobody noticed then?
>
> The reason is that starting from
> b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
> would create an empty directory.  That directory would then be copied by
> ‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
> /etc/ssh/authorized_keys.d would typically already contain the relevant
> keys, nothing bad would happen.
>
> Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
> another bug though: we’d create an authorized-key directory that
> included keys brought by extensions, but each of these files would be
> empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
> associated with user names), which could lock yourself out.
>
> Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
> recommended before you’re locked out!
>
> Thanks,
> Ludo’.