GNU bug report logs - #55359
How do I extend openssh-service-type ?

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55359 in the body.
You can then email your comments to 55359 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: Edouard Klein <edk <at> beaver-labs.com>
Cc: bug-guix <bug-guix <at> gnu.org>, help-guix <at> gnu.org
Subject: Re: How do I extend openssh-service-type ?
Date: Wed, 11 May 2022 10:37:04 +0300

[Message part 1 (text/plain, inline)]

Hi,

Edouard Klein <edk <at> beaver-labs.com> writes:

> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
>                    (const `(("charlie"
>                              ,(local-file "charlie.pub")))))
> #+end_quote

[…]

Seems like extend-openssh-authorized-keys procedure does not use keys
argument. We could fix it like:
--8<---------------cut here---------------start------------->8---
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 7fbbe383e5..4bb3969b95 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
   (openssh-configuration
    (inherit config)
    (authorized-keys
-    (match (openssh-configuration-authorized-keys config)
+    (match (append (openssh-configuration-authorized-keys config) keys)
       (((users _ ...) ...)
        ;; Build a user/key-list mapping.
        (let ((user-keys (alist->vhash
--8<---------------cut here---------------end--------------->8---


Oleg.

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 55359 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: 55359 <at> debbugs.gnu.org, help-guix <at> gnu.org,
 Edouard Klein <edk <at> beaver-labs.com>
Subject: Re: bug#55359: How do I extend openssh-service-type ?
Date: Wed, 25 May 2022 14:06:18 +0200

Hi,

Oleg Pykhalov <go.wigust <at> gmail.com> skribis:

> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:
>
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 7fbbe383e5..4bb3969b95 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>    (openssh-configuration
>     (inherit config)
>     (authorized-keys
> -    (match (openssh-configuration-authorized-keys config)
> +    (match (append (openssh-configuration-authorized-keys config) keys)
>        (((users _ ...) ...)
>         ;; Build a user/key-list mapping.
>         (let ((user-keys (alist->vhash

Indeed.  Please push!

Thanks,
Ludo’.

Message #13 received at 55359-done <at> debbugs.gnu.org (full text, mbox):

From: Oleg Pykhalov <go.wigust <at> gmail.com>
To: 55359-done <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>,
 Edouard Klein <edk <at> beaver-labs.com>
Subject: Re: bug#55359: How do I extend openssh-service-type ?
Date: Thu, 26 May 2022 08:40:07 +0300

[Message part 1 (text/plain, inline)]

Hi,

Ludovic Courtès <ludo <at> gnu.org> writes:

> Oleg Pykhalov <go.wigust <at> gmail.com> skribis:
>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>>
>> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
>> index 7fbbe383e5..4bb3969b95 100644
>> --- a/gnu/services/ssh.scm
>> +++ b/gnu/services/ssh.scm
>> @@ -558,7 +558,7 @@ (define (extend-openssh-authorized-keys config keys)
>>    (openssh-configuration
>>     (inherit config)
>>     (authorized-keys
>> -    (match (openssh-configuration-authorized-keys config)
>> +    (match (append (openssh-configuration-authorized-keys config) keys)
>>        (((users _ ...) ...)
>>         ;; Build a user/key-list mapping.
>>         (let ((user-keys (alist->vhash
>
> Indeed.  Please push!

Pushed as 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293.

> Edouard Klein <edk <at> beaver-labs.com> writes:
>
> I'm trying to make sense of:
> https://guix.gnu.org/manual/en/guix.html#index-openssh_002dservice_002dtype
>
> #+begin_quote
> This service can be extended with extra authorized keys, as in this example:
>
> (service-extension openssh-service-type
>                    (const `(("charlie"
>                              ,(local-file "charlie.pub")))))
> #+end_quote

Edouard, you should be able to extend the service after the ‘guix pull’.

Oleg.

[signature.asc (application/pgp-signature, inline)]

Message #16 received at 55359 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Oleg Pykhalov <go.wigust <at> gmail.com>
Cc: 55359 <at> debbugs.gnu.org, help-guix <at> gnu.org,
 Edouard Klein <edk <at> beaver-labs.com>
Subject: Re: bug#55359: How do I extend openssh-service-type ?
Date: Thu, 26 May 2022 16:44:44 +0200

Hi,

Oleg Pykhalov <go.wigust <at> gmail.com> skribis:

>> (service-extension openssh-service-type
>>                    (const `(("charlie"
>>                              ,(local-file "charlie.pub")))))
>> #+end_quote
>
> […]
>
> Seems like extend-openssh-authorized-keys procedure does not use keys
> argument. We could fix it like:

For the record, this bug (dismissing the ‘keys’ argument) was introduced
in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).

How come nobody noticed then?

The reason is that starting from
b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
would create an empty directory.  That directory would then be copied by
‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
/etc/ssh/authorized_keys.d would typically already contain the relevant
keys, nothing bad would happen.

Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
another bug though: we’d create an authorized-key directory that
included keys brought by extensions, but each of these files would be
empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
associated with user names), which could lock yourself out.

Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
recommended before you’re locked out!

Thanks,
Ludo’.

Message #19 received at 55359 <at> debbugs.gnu.org (full text, mbox):

From: Edouard Klein <edou <at> rdklein.fr>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 55359 <at> debbugs.gnu.org, Oleg Pykhalov <go.wigust <at> gmail.com>,
 help-guix <at> gnu.org
Subject: Re: bug#55359: How do I extend openssh-service-type ?
Date: Tue, 31 May 2022 19:05:41 +0200

Thank you both for solving this. I used a workaround for a while
(rsyncing the keys to /home/user/.ssh/authorized_keys). Now I can
confirm that the fixes work and I'm back to a declarative configuration
of my server, which is awesome !

Cheers,

Edouard.
Ludovic Courtès <ludo <at> gnu.org> writes:

> Hi,
>
> Oleg Pykhalov <go.wigust <at> gmail.com> skribis:
>
>>> (service-extension openssh-service-type
>>>                    (const `(("charlie"
>>>                              ,(local-file "charlie.pub")))))
>>> #+end_quote
>>
>> […]
>>
>> Seems like extend-openssh-authorized-keys procedure does not use keys
>> argument. We could fix it like:
>
> For the record, this bug (dismissing the ‘keys’ argument) was introduced
> in b4b2bbf4fb74c9f3e93d64863ab9b38957494b49 (Oct. 2021).
>
> How come nobody noticed then?
>
> The reason is that starting from
> b4b2bbf4fb74c9f3e93d64863ab9b38957494b49, ‘authorized-key-directory’
> would create an empty directory.  That directory would then be copied by
> ‘openssh-activation’ to /etc/ssh/authorized_keys.d; since
> /etc/ssh/authorized_keys.d would typically already contain the relevant
> keys, nothing bad would happen.
>
> Oleg’s commit 1f29ed4a812f86c45e2d9c37fd9f80f6d0418293 introduced
> another bug though: we’d create an authorized-key directory that
> included keys brought by extensions, but each of these files would be
> empty (because ‘extend-openssh-authorized-keys’ would dismiss key files
> associated with user names), which could lock yourself out.
>
> Fixed in 0dc63ce519c5f98b2186d1871176e2fac3a6926b.  Reconfiguration
> recommended before you’re locked out!
>
> Thanks,
> Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.