* Manage ssh public keys? @ 2015-04-09 1:01 Joe Hillenbrand 2015-04-09 11:51 ` David Thompson 2015-04-09 12:00 ` Ludovic Courtès 0 siblings, 2 replies; 12+ messages in thread From: Joe Hillenbrand @ 2015-04-09 1:01 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 88 bytes --] Is there a way to manage users' ssh public keys via the operating-system configuration? [-- Attachment #2: Type: text/html, Size: 109 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-09 1:01 Manage ssh public keys? Joe Hillenbrand @ 2015-04-09 11:51 ` David Thompson 2015-04-09 12:00 ` Ludovic Courtès 1 sibling, 0 replies; 12+ messages in thread From: David Thompson @ 2015-04-09 11:51 UTC (permalink / raw) To: Joe Hillenbrand, guix-devel Joe Hillenbrand <joehillen@gmail.com> writes: > Is there a way to manage users' ssh public keys via the operating-system > configuration? Our <user-account> type in gnu/system/shadow.scm doesn't provide such a thing. Perhaps we could provide some generic facility for specifying per-user files. Thoughts? -- David Thompson Web Developer - Free Software Foundation - http://fsf.org GPG Key: 0FF1D807 Support the FSF: https://fsf.org/donate ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-09 1:01 Manage ssh public keys? Joe Hillenbrand 2015-04-09 11:51 ` David Thompson @ 2015-04-09 12:00 ` Ludovic Courtès 2015-04-09 15:34 ` Joe Hillenbrand 1 sibling, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2015-04-09 12:00 UTC (permalink / raw) To: Joe Hillenbrand; +Cc: guix-devel Joe Hillenbrand <joehillen@gmail.com> skribis: > Is there a way to manage users' ssh public keys via the operating-system > configuration? No (not yet?). I guess you mean the authorized keys, right? It would be nice to have something like that, especially for automated deployment scenarios. (For multi-user machine scenarios, it may be less useful: users may prefer to manage authorized keys by themselves rather than relying on the admin to do that.) Thanks, Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-09 12:00 ` Ludovic Courtès @ 2015-04-09 15:34 ` Joe Hillenbrand 2015-04-09 19:29 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: Joe Hillenbrand @ 2015-04-09 15:34 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Thu, Apr 9, 2015 at 5:00 AM, Ludovic Courtès <ludo@gnu.org> wrote: > > No (not yet?). I guess you mean the authorized keys, right? Yes > It would be nice to have something like that, especially for automated > deployment scenarios. That is specifically the scenario I am building for. I am also trying to build testing VMs that need to be able to ssh after the images boot up. How do you suggests this functionality should be added? NixOS has the "openssh.authorizedKeys.keys" setting, but I don't think that translates to Guix. https://nixos.org/nixos/manual/sec-user-management.html ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-09 15:34 ` Joe Hillenbrand @ 2015-04-09 19:29 ` Ludovic Courtès 2015-04-10 9:28 ` 宋文武 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2015-04-09 19:29 UTC (permalink / raw) To: Joe Hillenbrand; +Cc: guix-devel Joe Hillenbrand <joehillen@gmail.com> skribis: > On Thu, Apr 9, 2015 at 5:00 AM, Ludovic Courtès <ludo@gnu.org> wrote: >> >> No (not yet?). I guess you mean the authorized keys, right? > > Yes > >> It would be nice to have something like that, especially for automated >> deployment scenarios. > > That is specifically the scenario I am building for. I am also trying > to build testing VMs that need to be able to ssh after the images boot > up. > > How do you suggests this functionality should be added? > > NixOS has the "openssh.authorizedKeys.keys" setting, but I don't think > that translates to Guix. > https://nixos.org/nixos/manual/sec-user-management.html No, indeed. As discussed on IRC, there are several issues, such as the choice of the SSH implementation (lshd uses ‘lsh-authorize’ to add authorized keys, not ~/.ssh/authorized_keys.) That complicates things. However, as David suggests, we could have a per-account list of files to install. I can imagine something like: (user-account (name "joe") ;; ... (files `((".ssh/authorized_keys" ,(local-file "my-authorized-keys")) (".emacs.d/foo.el" ,(local-file "foo.el"))))) Now, how should that be handled upon ‘reconfigure’? By just overriding those files? Probably, I guess. Also, should they be symlinks to the store or copies? Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-09 19:29 ` Ludovic Courtès @ 2015-04-10 9:28 ` 宋文武 2015-04-10 14:21 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: 宋文武 @ 2015-04-10 9:28 UTC (permalink / raw) To: Ludovic Courtès, Joe Hillenbrand; +Cc: guix-devel Ludovic Courtès <ludo@gnu.org> writes: > As discussed on IRC, there are several issues, such as the choice of the > SSH implementation (lshd uses ‘lsh-authorize’ to add authorized keys, > not ~/.ssh/authorized_keys.) That complicates things. > > However, as David suggests, we could have a per-account list of files to > install. I can imagine something like: > > (user-account > (name "joe") > ;; ... > (files `((".ssh/authorized_keys" ,(local-file "my-authorized-keys")) > (".emacs.d/foo.el" ,(local-file "foo.el"))))) > > Now, how should that be handled upon ‘reconfigure’? By just overriding > those files? Probably, I guess. > > Also, should they be symlinks to the store or copies? How about use symlinks, but: - create them if they are not exists. - update them if they are symlinks to /gnu/store. - warn and do nothing about them if they aren't symlinks to store. So users won't lost the changes they made. > > Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-10 9:28 ` 宋文武 @ 2015-04-10 14:21 ` Ludovic Courtès 2015-04-10 14:24 ` David Thompson 2015-04-10 16:47 ` Joe Hillenbrand 0 siblings, 2 replies; 12+ messages in thread From: Ludovic Courtès @ 2015-04-10 14:21 UTC (permalink / raw) To: 宋文武; +Cc: guix-devel 宋文武 <iyzsong@gmail.com> skribis: > Ludovic Courtès <ludo@gnu.org> writes: > >> As discussed on IRC, there are several issues, such as the choice of the >> SSH implementation (lshd uses ‘lsh-authorize’ to add authorized keys, >> not ~/.ssh/authorized_keys.) That complicates things. >> >> However, as David suggests, we could have a per-account list of files to >> install. I can imagine something like: >> >> (user-account >> (name "joe") >> ;; ... >> (files `((".ssh/authorized_keys" ,(local-file "my-authorized-keys")) >> (".emacs.d/foo.el" ,(local-file "foo.el"))))) >> >> Now, how should that be handled upon ‘reconfigure’? By just overriding >> those files? Probably, I guess. >> >> Also, should they be symlinks to the store or copies? > How about use symlinks, but: > - create them if they are not exists. > - update them if they are symlinks to /gnu/store. > - warn and do nothing about them if they aren't symlinks to store. The problem is that that would be stateful, and thus not reproducible. So I think conditionals like this are not desirable. Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-10 14:21 ` Ludovic Courtès @ 2015-04-10 14:24 ` David Thompson 2015-04-10 16:47 ` Joe Hillenbrand 1 sibling, 0 replies; 12+ messages in thread From: David Thompson @ 2015-04-10 14:24 UTC (permalink / raw) To: Ludovic Courtès, 宋文武; +Cc: guix-devel Ludovic Courtès <ludo@gnu.org> writes: > 宋文武 <iyzsong@gmail.com> skribis: > >> Ludovic Courtès <ludo@gnu.org> writes: >> >>> As discussed on IRC, there are several issues, such as the choice of the >>> SSH implementation (lshd uses ‘lsh-authorize’ to add authorized keys, >>> not ~/.ssh/authorized_keys.) That complicates things. >>> >>> However, as David suggests, we could have a per-account list of files to >>> install. I can imagine something like: >>> >>> (user-account >>> (name "joe") >>> ;; ... >>> (files `((".ssh/authorized_keys" ,(local-file "my-authorized-keys")) >>> (".emacs.d/foo.el" ,(local-file "foo.el"))))) >>> >>> Now, how should that be handled upon ‘reconfigure’? By just overriding >>> those files? Probably, I guess. >>> >>> Also, should they be symlinks to the store or copies? >> How about use symlinks, but: >> - create them if they are not exists. >> - update them if they are symlinks to /gnu/store. >> - warn and do nothing about them if they aren't symlinks to store. > > The problem is that that would be stateful, and thus not reproducible. > So I think conditionals like this are not desirable. +1 -- David Thompson Web Developer - Free Software Foundation - http://fsf.org GPG Key: 0FF1D807 Support the FSF: https://fsf.org/donate ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-10 14:21 ` Ludovic Courtès 2015-04-10 14:24 ` David Thompson @ 2015-04-10 16:47 ` Joe Hillenbrand 2015-04-10 20:17 ` Ludovic Courtès 1 sibling, 1 reply; 12+ messages in thread From: Joe Hillenbrand @ 2015-04-10 16:47 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Fri, Apr 10, 2015 at 7:21 AM, Ludovic Courtès <ludo@gnu.org> wrote: >> How about use symlinks, but: >> - create them if they are not exists. >> - update them if they are symlinks to /gnu/store. >> - warn and do nothing about them if they aren't symlinks to store. > > The problem is that that would be stateful, and thus not reproducible. > So I think conditionals like this are not desirable. > > Ludo’. Something to keep in mind is what a user means when they add a "files" argument to user-account. I take this to mean "I want the operating system configurations to manage this file, not the user", which to me means, clobber a file if it is already there and symlink it to /gnu/store. The question then is, what happens when the configuration changes from having a "files" argument to not having one. What happens to the links? Also on the topic of a "files" option, what about managing a collection of files, like a directory of dotfiles or ~/.emacs? Would it be possible to use this option with something like "git-fetch"? ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-10 16:47 ` Joe Hillenbrand @ 2015-04-10 20:17 ` Ludovic Courtès 2015-04-10 20:45 ` David Thompson 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2015-04-10 20:17 UTC (permalink / raw) To: Joe Hillenbrand; +Cc: guix-devel Joe Hillenbrand <joehillen@gmail.com> skribis: > Something to keep in mind is what a user means when they add a "files" > argument to user-account. I take this to mean "I want the operating > system configurations to manage this file, not the user", which to me > means, clobber a file if it is already there and symlink it to > /gnu/store. Yes. > The question then is, what happens when the configuration changes from > having a "files" argument to not having one. What happens to the > links? Good point. I’d say we just remove the symlinks. > Also on the topic of a "files" option, what about managing a > collection of files, like a directory of dotfiles or ~/.emacs? Would > it be possible to use this option with something like "git-fetch"? It would be possible yes. Behind the scenes it would use gexp, so any object whose type has a “gexp compiler” can be used (this includes <package>, <origin>, and <local-file>.) I’ll see what I can do if nobody beats me at it. Thanks, Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-10 20:17 ` Ludovic Courtès @ 2015-04-10 20:45 ` David Thompson 2015-04-11 19:55 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: David Thompson @ 2015-04-10 20:45 UTC (permalink / raw) To: Ludovic Courtès, Joe Hillenbrand; +Cc: guix-devel Ludovic Courtès <ludo@gnu.org> writes: > Joe Hillenbrand <joehillen@gmail.com> skribis: > >> The question then is, what happens when the configuration changes from >> having a "files" argument to not having one. What happens to the >> links? > > Good point. I’d say we just remove the symlinks. Agreed, but how do we do the diff such that we know to remove them? -- David Thompson Web Developer - Free Software Foundation - http://fsf.org GPG Key: 0FF1D807 Support the FSF: https://fsf.org/donate ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Manage ssh public keys? 2015-04-10 20:45 ` David Thompson @ 2015-04-11 19:55 ` Ludovic Courtès 0 siblings, 0 replies; 12+ messages in thread From: Ludovic Courtès @ 2015-04-11 19:55 UTC (permalink / raw) To: David Thompson; +Cc: guix-devel David Thompson <dthompson2@worcester.edu> skribis: > Ludovic Courtès <ludo@gnu.org> writes: > >> Joe Hillenbrand <joehillen@gmail.com> skribis: >> >>> The question then is, what happens when the configuration changes from >>> having a "files" argument to not having one. What happens to the >>> links? >> >> Good point. I’d say we just remove the symlinks. > > Agreed, but how do we do the diff such that we know to remove them? Good point as well! I guess they may just be left there until someone removes them. I don’t think we can actually do better, can we? Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2015-04-11 19:55 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-04-09 1:01 Manage ssh public keys? Joe Hillenbrand 2015-04-09 11:51 ` David Thompson 2015-04-09 12:00 ` Ludovic Courtès 2015-04-09 15:34 ` Joe Hillenbrand 2015-04-09 19:29 ` Ludovic Courtès 2015-04-10 9:28 ` 宋文武 2015-04-10 14:21 ` Ludovic Courtès 2015-04-10 14:24 ` David Thompson 2015-04-10 16:47 ` Joe Hillenbrand 2015-04-10 20:17 ` Ludovic Courtès 2015-04-10 20:45 ` David Thompson 2015-04-11 19:55 ` Ludovic Courtès
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.