userdbctl: enable ssh-authorized-keys logic by default

sshd now supports config file drop-ins, hence let's install one to hook
up "userdb ssh-authorized-keys", so that things just work.

We put the drop-in relatively early, so that other drop-ins generally
will override this.

Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but
let's take what we can get. It's not that sshd's upstream was
particularly open to weird ideas from Linux people.

diff --git a/TODO b/TODO
index 5a27e6b5676fc2767549619050658b63c51c088d..8646d99b1ded6e11898a37f6676f9eebfae3ce80 100644 (file)
--- a/TODO
+++ b/TODO
@@ -1004,9 +1004,6 @@ Features:
   file to move there, since it is managed by privileged code (i.e. homed) and
   not unprivileged code.
 
-* given that /etc/ssh/ssh_config.d/ is a thing now, ship a drop-in for that
-  that hooks up userdbctl ssh-key stuff.
-
 * maybe add support for binding and connecting AF_UNIX sockets in the file
   system outside of the 108ch limit. When connecting, open O_PATH fd to socket
   inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink

diff --git a/meson.build b/meson.build
index 7419e2b0b094a763d71990154a4f763d1f0d6244..56bdc39c3dcb4a94c6aa915d9c1acc312bc9a64b 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -198,6 +198,11 @@ if pamconfdir == ''
         pamconfdir = prefixdir / 'lib/pam.d'
 endif
 
+sshdconfdir = get_option('sshdconfdir')
+if sshdconfdir == ''
+        sshdconfdir = sysconfdir / 'ssh/sshd_config.d'
+endif
+
 libcryptsetup_plugins_dir = get_option('libcryptsetup-plugins-dir')
 if libcryptsetup_plugins_dir == ''
         libcryptsetup_plugins_dir = libdir / 'cryptsetup'
@@ -229,6 +234,7 @@ conf.set_quoted('PREFIX_NOSLASH',                             prefixdir_noslash)
 conf.set_quoted('RANDOM_SEED',                                randomseeddir / 'random-seed')
 conf.set_quoted('RANDOM_SEED_DIR',                            randomseeddir)
 conf.set_quoted('RC_LOCAL_PATH',                              get_option('rc-local'))
+conf.set_quoted('SSHDCONFDIR',                                sshdconfdir)
 conf.set_quoted('SYSCONF_DIR',                                sysconfdir)
 conf.set_quoted('SYSCTL_DIR',                                 sysctldir)
 conf.set_quoted('SYSTEMCTL_BINARY_PATH',                      bindir / 'systemctl')
@@ -2676,6 +2682,7 @@ summary({
         'SysV rc?.d directories' :          sysvrcnd_path,
         'PAM modules directory' :           pamlibdir,
         'PAM configuration directory' :     pamconfdir,
+        'ssh configuration directory' :     sshdconfdir,
         'libcryptsetup plugins directory' : libcryptsetup_plugins_dir,
         'RPM macros directory' :            rpmmacrosdir,
         'modprobe.d directory' :            modprobedir,

diff --git a/meson_options.txt b/meson_options.txt
index 83b48ff5bba49384538dc97abd55bb4b3d1116a8..c677c7f4202f194e49a00d1cff39b206fdbdbfed 100644 (file)
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -211,6 +211,8 @@ option('pamlibdir', type : 'string',
        description : 'directory for PAM modules')
 option('pamconfdir', type : 'string',
        description : 'directory for PAM configuration ["no" disables]')
+option('sshdconfdir', type : 'string',
+       description : 'directory for SSH server configuration ["no" disables]')
 option('libcryptsetup-plugins-dir', type : 'string',
        description : 'directory for libcryptsetup plugins')
 option('docdir', type : 'string',

diff --git a/src/userdb/20-systemd-userdb.conf.in b/src/userdb/20-systemd-userdb.conf.in
new file mode 100644 (file)
index 0000000..031fc3a
--- /dev/null
+++ b/src/userdb/20-systemd-userdb.conf.in
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Make sure SSH authorized keys recorded in user records can be consumed by SSH
+#
+AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
+AuthorizedKeysCommandUser root

diff --git a/src/userdb/meson.build b/src/userdb/meson.build
index 2d701c8ba7a0ba845052a4e738dd4abebc002857..260dbab2c8539d606b832bff1de0ca250c24ee56 100644 (file)
--- a/src/userdb/meson.build
+++ b/src/userdb/meson.build
@@ -23,3 +23,16 @@ executables += [
                 'dependencies' : threads,
         },
 ]
+
+custom_target(
+        '20-systemd-userdb.conf',
+        input : '20-systemd-userdb.conf.in',
+        output : '20-systemd-userdb.conf',
+        command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
+        install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
+        install_dir : libexecdir / 'sshd_config.d')
+
+install_emptydir(sshdconfdir)
+
+meson.add_install_script(sh, '-c',
+        ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))

diff --git a/tmpfiles.d/20-systemd-userdb.conf.in b/tmpfiles.d/20-systemd-userdb.conf.in
new file mode 100644 (file)
index 0000000..1ef7a9e
--- /dev/null
+++ b/tmpfiles.d/20-systemd-userdb.conf.in
@@ -0,0 +1,10 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See tmpfiles.d(5) for details
+
+L {{SSHDCONFDIR}}/20-systemd-userdb.conf - - - - {{LIBEXECDIR}}/sshd_config.d/20-systemd-userdb.conf

diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index 4c11ad6e2038c369a7f6cfe5a48742d9bc7d54dc..390076b6d5004712c2b307275ed65a1d79df0a2c 100644 (file)
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -34,6 +34,7 @@ in_files = [['etc.conf',                      ''],
             ['static-nodes-permissions.conf', ''],
             ['systemd.conf',                  ''],
             ['var.conf',                      ''],
+            ['20-systemd-userdb.conf',        'ENABLE_USERDB'],
            ]
 
 foreach pair : in_files