[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: bug#55359: How do I extend openssh-service-type ?
From: |
Ludovic Courtès |
Subject: |
Re: bug#55359: How do I extend openssh-service-type ? |
Date: |
Thu, 26 May 2022 16:44:44 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Oleg Pykhalov <go.wigust@gmail.com> skribis:
>> (service-extension openssh-service-type
>> (const `(("charlie"
>> ,(local-file "charlie.pub")))))
>> #+end_quote
>
> […]
>
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:
For the record, this bug (dismissing the ‘keys’ argument) was introduced
in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
How come nobody noticed then?
The reason is that starting from
b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
would create an empty directory. That directory would then be copied by
‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
/etc/ssh/authorized_keys.d would typically already contain the relevant
keys, nothing bad would happen.
Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
another bug though: we’d create an authorized-key directory that
included keys brought by extensions, but each of these files would be
empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
associated with user names), which could lock yourself out.
Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b. Reconfiguration
recommended before you’re locked out!
Thanks,
Ludo’.