GNU bug report logs -
#51487
The openssh service does not allow multiple authorized key files per user
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 51487 in the body.
You can then email your comments to 51487 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Fri, 29 Oct 2021 16:17:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vivien Kraus <vivien <at> planete-kraus.eu>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Fri, 29 Oct 2021 16:17:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Dear guix,
The openssh service is configured with a list of authorized keys, as a
list of items, where each item is a list of 2 values, the user name (as
a string) and the public key file (a file-like object). The service can
be extended with new keys.
To have multiple keys per user, we can put them on the same file-like
object, each on its own line. However, if we put two different records,
only the last one is remembered.
This is a problem if we want to extend the service for users that
already have a key. As I am trying to create a service that would
convert GPG keys to SSH keys, I am in this exact situation: the users
may have already defined SSH keys, and I want to add some more without
losing the others.
Best regards,
Vivien
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Fri, 29 Oct 2021 16:45:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I have a patch, what do you think?
I tested it by building an operating system of the form:
(operating-system
...
(services
(append
(list
(service openssh-service-type
(openssh-configuration
(authorized-keys
`(("root" ,(plain-file "first-key" "ssh-rsa ..."))
("root" ,(plain-file "second-key" "ssh-rsa ..."))))))))))
I caught the derivation to build the authorized-keys directory, and root
had 2 keys. Without the patch, root had only 1 key.
Vivien
[~/Projets/guix/0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (message/external-body, inline)]
[Message part 3 (text/x-patch, inline)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Fri, 29 Oct 2021 16:47:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Vivien Kraus <vivien <at> planete-kraus.eu> writes:
> I have a patch, what do you think?
>
> I tested it by building an operating system of the form:
>
> (operating-system
> ...
> (services
> (append
> (list
> (service openssh-service-type
> (openssh-configuration
> (authorized-keys
> `(("root" ,(plain-file "first-key" "ssh-rsa ..."))
> ("root" ,(plain-file "second-key" "ssh-rsa ..."))))))))))
>
> I caught the derivation to build the authorized-keys directory, and root
> had 2 keys. Without the patch, root had only 1 key.
The patch wasn’t formatted correctly, sorry.
[~/Projets/guix/0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (message/external-body, inline)]
[Message part 3 (text/x-patch, inline)]
[Message part 4 (text/plain, inline)]
>
> Vivien
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Fri, 29 Oct 2021 16:53:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The patch does not seem to get formatted correctly, sorry. Hopefully,
this should work.
Vivien
[0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Fri, 29 Oct 2021 21:23:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
After some discussion on #guix, this seems to be the easier way to fix
the problem:
Vivien
[0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Fri, 29 Oct 2021 21:27:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Le vendredi 29 octobre 2021 à 23:22 +0200, Vivien Kraus a écrit :
> After some discussion on #guix, this seems to be the easier way to
> fix
> the problem:
Sorry, I forgot to update the commit message.
Vivien
[0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (text/x-patch, attachment)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Sun, 07 Nov 2021 15:05:02 GMT)
Full text and
rfc822 format available.
Message #23 received at 51487 <at> debbugs.gnu.org (full text, mbox):
Hi,
Vivien Kraus <vivien <at> planete-kraus.eu> skribis:
> From b2f47730a3d9aa97716741134917c340354d9c3a Mon Sep 17 00:00:00 2001
> From: Vivien Kraus <vivien <at> planete-kraus.eu>
> Date: Fri, 29 Oct 2021 18:25:24 +0200
> Subject: [PATCH] gnu: openssh-service: Collect all keys for all users.
>
> * gnu/services/ssh.scm (extend-openssh-authorized-keys): ensure that no key is forgotten.
Good catch!
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index a018052eeb..1309e062ce 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -532,10 +532,16 @@ (define (openssh-pam-services config)
>
> (define (extend-openssh-authorized-keys config keys)
> "Extend CONFIG with the extra authorized keys listed in KEYS."
> - (openssh-configuration
> - (inherit config)
> - (authorized-keys
> - (append (openssh-authorized-keys config) keys))))
> + (let ((all-keys (make-hash-table)))
> + (for-each
> + (match-lambda
> + ((user keys ...)
> + (hash-set! all-keys user (append (hash-ref all-keys user '()) keys))))
> + (append (openssh-authorized-keys config) keys))
> + (openssh-configuration
> + (inherit config)
> + (authorized-keys
> + (hash-map->list cons all-keys)))))
Could you write it in functional style using a vhash (info "(guile)
VHashes")? You’ll probably need two list traversals: one to build the
user/key mapping, and one to compute the list of users.
Thanks in advance,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Sun, 07 Nov 2021 17:34:02 GMT)
Full text and
rfc822 format available.
Message #26 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello,
Ludovic Courtès <ludo <at> gnu.org> writes:
> Could you write it in functional style using a vhash (info "(guile)
> VHashes")? You’ll probably need two list traversals: one to build the
> user/key mapping, and one to compute the list of users.
I thought that as the vhash data structure inherited the drawbacks of
vlist, it would not be worth using in place of a hash table, but you’re
saying that it’s still a better (more functional) data structure, noted.
Here is the new patch (and I also forgot that appending short lists to
long lists was not great, so I do all the appending at the end of the
function now).
[0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (text/x-patch, attachment)]
[Message part 3 (text/plain, inline)]
Vivien
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Mon, 15 Nov 2021 14:43:02 GMT)
Full text and
rfc822 format available.
Message #29 received at 51487 <at> debbugs.gnu.org (full text, mbox):
Hi,
Vivien Kraus <vivien <at> planete-kraus.eu> skribis:
> (define (extend-openssh-authorized-keys config keys)
> "Extend CONFIG with the extra authorized keys listed in KEYS."
> - (openssh-configuration
> - (inherit config)
> - (authorized-keys
> - (append (openssh-authorized-keys config) keys))))
> + (let generate-keys
> + ((user-keys
> + (append (openssh-authorized-keys config) keys))
> + ;; The by-user vhash indexes a list of list of keys for each user, the
> + ;; list of list is not concatenated eagerly to avoid quadratic
> + ;; complexity.
> + (by-user (alist->vhash '())))
> + (match user-keys
> + (()
> + (openssh-configuration
> + (inherit config)
> + (authorized-keys
> + (vhash-fold
> + (lambda (user keys other-users)
> + `((,user ,@(apply append (reverse keys))) ,@other-users))
> + '() by-user))))
> + (((user keys ...) other-user-keys ...)
> + (let ((existing
> + (match (vhash-assoc user by-user)
> + ((_ . keys) keys)
> + (#f '()))))
> + (generate-keys
> + other-user-keys
> + (vhash-cons user `(,keys ,@existing) by-user)))))))
I find it a bit hard to read. What I had in mind is along these lines:
(match (openssh-authorized-keys config)
(((users _ ...) ...)
;; Build a user/key-list mapping.
(let ((user-keys (fold (lambda (spec table)
(match spec
((user keys ...)
(vhash-cons user keys table))))
vlist-null
(openssh-authorized-keys config))))
;; Coalesce the key lists associated with each user.
(map (lambda (user)
(concatenate (vhash-fold* cons '() user user-keys)))
users))))
WDYT?
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#51487
; Package
guix
.
(Mon, 15 Nov 2021 15:36:02 GMT)
Full text and
rfc822 format available.
Message #32 received at 51487 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Ludovic Courtès <ludo <at> gnu.org> writes:
> I find it a bit hard to read. What I had in mind is along these lines:
>
> (match (openssh-authorized-keys config)
> (((users _ ...) ...)
> ;; Build a user/key-list mapping.
> (let ((user-keys (fold (lambda (spec table)
> (match spec
> ((user keys ...)
> (vhash-cons user keys table))))
> vlist-null
> (openssh-authorized-keys config))))
> ;; Coalesce the key lists associated with each user.
> (map (lambda (user)
> (concatenate (vhash-fold* cons '() user user-keys)))
> users))))
That’s way cleaner. I didn’t know of vhash-fold*, it seems to save the
day!
(just fixing the final map function not to forget the user name in the
alist, and removing "spec")
[0001-gnu-openssh-service-Collect-all-keys-for-all-users.patch (text/x-patch, attachment)]
[Message part 3 (text/plain, inline)]
Vivien
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>
:
You have taken responsibility.
(Tue, 16 Nov 2021 09:04:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Vivien Kraus <vivien <at> planete-kraus.eu>
:
bug acknowledged by developer.
(Tue, 16 Nov 2021 09:04:01 GMT)
Full text and
rfc822 format available.
Message #37 received at 51487-done <at> debbugs.gnu.org (full text, mbox):
Hi,
Vivien Kraus <vivien <at> planete-kraus.eu> skribis:
> (just fixing the final map function not to forget the user name in the
> alist, and removing "spec")
Oops, indeed.
> From 7bc8abcfd5024f5269c36dc8cb44803eb0ab29ba Mon Sep 17 00:00:00 2001
> From: Vivien Kraus <vivien <at> planete-kraus.eu>
> Date: Fri, 29 Oct 2021 18:25:24 +0200
> Subject: [PATCH] gnu: openssh-service: Collect all keys for all users.
>
> * gnu/services/ssh.scm (extend-openssh-authorized-keys): ensure that no key is forgotten.
I realized we could just use ‘alist->vhash’ instead of (fold …) so I did
that.
Applied, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Tue, 14 Dec 2021 12:24:10 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 96 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.