From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 26 Aug 2024 15:29:15 +0000 (+0200)
Subject: nspawn: propagate SSH authorized keys when binding user into contaier via --bind... 
X-Git-Tag: v257-rc1~608
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=12e506f43728b8efdfdf94a2b21d24517aae9f86;p=thirdparty%2Fsystemd.git

nspawn: propagate SSH authorized keys when binding user into contaier via --bind-user=

This means the host user typically can just log into his own account
bound into the container via SSH.
---

diff --git a/src/nspawn/nspawn-bind-user.c b/src/nspawn/nspawn-bind-user.c
index 91f90e1d023..1668656dabf 100644
--- a/src/nspawn/nspawn-bind-user.c
+++ b/src/nspawn/nspawn-bind-user.c
@@ -88,7 +88,7 @@ static int convert_user(
         _cleanup_(group_record_unrefp) GroupRecord *converted_group = NULL;
         _cleanup_(user_record_unrefp) UserRecord *converted_user = NULL;
         _cleanup_free_ char *h = NULL;
-        sd_json_variant *p, *hp = NULL;
+        sd_json_variant *p, *hp = NULL, *ssh = NULL;
         int r;
 
         assert(u);
@@ -115,8 +115,10 @@ static int convert_user(
 
         /* Acquire the source hashed password array as-is, so that it retains the JSON_VARIANT_SENSITIVE flag */
         p = sd_json_variant_by_key(u->json, "privileged");
-        if (p)
+        if (p) {
                 hp = sd_json_variant_by_key(p, "hashedPassword");
+                ssh = sd_json_variant_by_key(p, "sshAuthorizedKeys");
+        }
 
         r = user_record_build(
                         &converted_user,
@@ -127,8 +129,9 @@ static int convert_user(
                                         SD_JSON_BUILD_PAIR_CONDITION(u->disposition >= 0, "disposition", SD_JSON_BUILD_STRING(user_disposition_to_string(u->disposition))),
                                         SD_JSON_BUILD_PAIR("homeDirectory", SD_JSON_BUILD_STRING(h)),
                                         SD_JSON_BUILD_PAIR("service", JSON_BUILD_CONST_STRING("io.systemd.NSpawn")),
-                                        SD_JSON_BUILD_PAIR_CONDITION(!strv_isempty(u->hashed_password), "privileged", SD_JSON_BUILD_OBJECT(
-                                                                                  SD_JSON_BUILD_PAIR("hashedPassword", SD_JSON_BUILD_VARIANT(hp))))));
+                                        SD_JSON_BUILD_PAIR("privileged", SD_JSON_BUILD_OBJECT(
+                                                                           SD_JSON_BUILD_PAIR_CONDITION(!strv_isempty(u->hashed_password), "hashedPassword", SD_JSON_BUILD_VARIANT(hp)),
+                                                                           SD_JSON_BUILD_PAIR_CONDITION(!!ssh, "sshAuthorizedKeys", SD_JSON_BUILD_VARIANT(ssh))))));
         if (r < 0)
                 return log_error_errno(r, "Failed to build container user record: %m");