From ba7502bb616095586a9b68dddbc3195346b22e42 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 10 Jun 2020 15:03:44 -0400
Subject: [PATCH] Somewhat configurable accounts on issuer and storage servers
---
nixos/modules/ssh.nix | 24 ++++++++++----
nixos/modules/tests/private-storage.nix | 19 ++++++++++++
nixos/modules/tests/probeuser_ed25519 | 38 +++++++++++++++++++++++
nixos/modules/tests/probeuser_ed25519.pub | 1 +
4 files changed, 76 insertions(+), 6 deletions(-)
create mode 100644 nixos/modules/tests/probeuser_ed25519
create mode 100644 nixos/modules/tests/probeuser_ed25519.pub
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index fc028fd5..ca9b3154 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -5,10 +5,18 @@
...
}: {
options = {
+ services.private-storage.sshUsers = lib.mkOption {
+ type = lib.types.attrsOf lib.types.str;
+ example = lib.literalExample { root = "ssh-ed25519 AAA..."; };
+ description = ''
+ Users to configure on the issuer server and the storage servers and
+ the SSH public keys to use to authenticate them.
+ '';
+ };
};
config =
let
- cfg = config."private-storage".config;
+ cfg = config.services."private-storage";
in {
# An attempt at a properly secure SSH configuration. This is informed by
# personal experience as well as various web resources:
@@ -29,13 +37,17 @@
# password-based authentication at all.
PermitEmptyPasswords no
- # Don't allow authentication as random system users.
- AllowUsers root
+ # Only allow authentication as one of the configured users, not random
+ # other (often system-managed) users.
+ AllowUsers ${builtins.concatStringsSep " " (builtins.attrNames cfg.sshUsers)}
'';
};
- users.users.root.openssh.authorizedKeys.keys = [
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"
- ];
+ users.users =
+ let makeUserConfig = username: sshPublicKey: {
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [ sshPublicKey ];
+ };
+ in builtins.mapAttrs makeUserConfig cfg.sshUsers;
};
}
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 08a3e0d5..2bdd25a8 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -2,6 +2,19 @@ let
pkgs = import <nixpkgs> { };
pspkgs = import ../pspkgs.nix { inherit pkgs; };
+ sshPrivateKey = ./probeuser_ed25519;
+ sshPublicKey = ./probeuser_ed25519.pub;
+ sshUsers = {
+ probeuser = (builtins.readFile sshPublicKey);
+ };
+ # Generate a command which can be used with runOnNode to ssh to the given
+ # host.
+ ssh = hostname: [
+ "cp" sshPrivateKey "/tmp/ssh_key" ";"
+ "chmod" "0400" "/tmp/ssh_key" ";"
+ "ssh" "-oStrictHostKeyChecking=no" "-i" "/tmp/ssh_key" "probeuser@${hostname}" ":"
+ ];
+
# Separate helper programs so we can write as little perl inside a string
# inside a nix expression as possible.
run-introducer = ./run-introducer.py;
@@ -108,6 +121,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
introducerFURL = introducerFURL;
issuerRootURL = issuerURL;
inherit ristrettoSigningKeyPath;
+ inherit sshUsers;
+
};
} // networkConfig;
@@ -117,6 +132,8 @@ import <nixpkgs/nixos/tests/make-test.nix> {
{ imports =
[ ../issuer.nix
];
+ services.private-storage.sshUsers = sshUsers;
+
services.private-storage-issuer = {
enable = true;
domain = "issuer";
@@ -169,7 +186,9 @@ import <nixpkgs/nixos/tests/make-test.nix> {
# doesn't prove it is so but if it fails it's a pretty good indication
# it isn't so.
$storage->waitForOpenPort(22);
+ ${runOnNode "issuer" (ssh "storage")}
$issuer->waitForOpenPort(22);
+ ${runOnNode "storage" (ssh "issuer")}
# Set up a Tahoe-LAFS introducer.
$introducer->copyFileFromHost(
diff --git a/nixos/modules/tests/probeuser_ed25519 b/nixos/modules/tests/probeuser_ed25519
new file mode 100644
index 00000000..09c734d0
--- /dev/null
+++ b/nixos/modules/tests/probeuser_ed25519
@@ -0,0 +1,38 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAYEA9RqVFIjOI9Wwwhmlrt3HIeom4fgKcdd6DW8vFR25aynXGILwIFFJ
+9BW1IhrEAdSUdwtwdDDKB1nV3DxvYrS4tty+BdbKl8ZbqyflHy87sNnt027LpvBa9AReZp
+7eNXZ4myIReg7lQnQeOyVWXfF7y2OCzBUb089IO+2AdoFBDrDrvnJpDXURiBpj8oA9FOvd
+4BzkfRuSqTOODTrjXSilhDSU0N5kko5bny07tWDsI+obJFVGALzO5rt86I8T+brWevAwA9
+5DPQAwrIK7cl9O9eH/59cVBYwdQMtgGfjqsSHbP2YqxROjkK9BFSAgNib2IXyJ0OkzZN0s
+If292lUkkDfKppfJ8I+z1Wc37/E8LkW0B5KSxal79cftUxqJIT1sfeVDo31r5UdK8V9kkA
+tsJFNqJrETyMDZeboJF5x8YWXCgQM++Ts24P3vBcwOJwcvam+BcmtZhay2+0jrBFVqA8Mk
+w8zNEViGaV/zlKSft3ZetYyj5lk/JrNqHSl5T9j5AAAFiO+v0gLvr9ICAAAAB3NzaC1yc2
+EAAAGBAPUalRSIziPVsMIZpa7dxyHqJuH4CnHXeg1vLxUduWsp1xiC8CBRSfQVtSIaxAHU
+lHcLcHQwygdZ1dw8b2K0uLbcvgXWypfGW6sn5R8vO7DZ7dNuy6bwWvQEXmae3jV2eJsiEX
+oO5UJ0HjslVl3xe8tjgswVG9PPSDvtgHaBQQ6w675yaQ11EYgaY/KAPRTr3eAc5H0bkqkz
+jg06410opYQ0lNDeZJKOW58tO7Vg7CPqGyRVRgC8zua7fOiPE/m61nrwMAPeQz0AMKyCu3
+JfTvXh/+fXFQWMHUDLYBn46rEh2z9mKsUTo5CvQRUgIDYm9iF8idDpM2TdLCH9vdpVJJA3
+yqaXyfCPs9VnN+/xPC5FtAeSksWpe/XH7VMaiSE9bH3lQ6N9a+VHSvFfZJALbCRTaiaxE8
+jA2Xm6CRecfGFlwoEDPvk7NuD97wXMDicHL2pvgXJrWYWstvtI6wRVagPDJMPMzRFYhmlf
+85Skn7d2XrWMo+ZZPyazah0peU/Y+QAAAAMBAAEAAAGBAKkeomb8zl/jfocvcybpWBGKoz
+GgGHTcnRbP9Mi5LctHn2cGUfG6pTCKGeViWoR4zcgmWH2TfJL95ZaFDMYqtJlYTrVws3Fu
+KKo8aNfPm3w3ouYUuOiDR/6/VPOyAtkY2bcRFsYFqSLlREbDSIihqy13iDSRDBZmHA1dnx
+olrWIZqVBLWTkz4djrfLNC0OKyrPGKfg3lDJk7PXTbgS4ycaJ7NYO5L+P/3jBC4cQREF7n
+lbrIK/kuTgTesR02PC5AP4v2nU0nMvdI8v4mYx+Ybji7dO93ZbZkI2FRxp/cl50FSKjc6N
+9im3CWqb0I07+h0cy9rNAhVT221Kfjypv0SZp/1xE+VpVx4KyLkTenvhzhLfTNdbWHn/kv
+GSWX8BvQEiUvUORExfjvmo2/y+o/ca8DRTN/KuT/mUkjFdSFdlFWkMD5xF6YkPaFarhxbt
+yD670DpqV21P8xoXZCP9DGKefFAdfemkhpSxyZmKimb4vHUQD4Ddkc3CNqzw/sJdLQQQAA
+AMEAma/GNKl599PkWA58AtEQUWAcVKUljSOgyzRcncOiSKJ1K5RYHYnOPLjBBKb9yOF4Ss
+5WVvozqByJSowrXHWPj5qAlGCfNCzkJ9pKDA6BCcxbQmAzPXl8TFx1v25daYMDTMH29Sxq
+3UjzxthlP9GMovqe7BtFdd1Ep+V60wnHUcbBKIUQmlIhB9T4GyOyPwn6FlXkaz2hvk5jMM
+pTrB2DdFmIgyQzNuuPauJ8Krjx4gTVbi1teHZLljRwokMXsOsxAAAAwQD9vmyjKZhbWgkL
+/DDQp983yCcvF/ywnqHRQZijHRyh5QT48DE5xCQV9MQtidbNQgP6z6Z8BK6kXIy8CSA8zx
+tXu2aAz8q3XCn3X8Tp1sbNKtQs/d/bf9AfOgXbhRKSE3P/1jYQVdlnyZht/Rvjxflc2KQZ
+QV7RtLE4TAQF1HuwnppCc2tI2yT24LUNBS/IzsvgT+CaatpeOblWwAiIN/OYpf4A5vjcFd
+omNYiKuKywhPI6e+UX9BzL0F4rDQ9MsEUAAADBAPdIfdBo8UUsctAjzYNrlq9lG81CxKYf
+Id34d61eg5JNCozPOx86yNpvs5Itxr8SXQUvxDUWTour7ceByssRkJNllDdp4s4t3Ya7Wk
+cFTFfkfPPbFmY0JbVFimpgMVulWfLgE2tnSDpiqYnHc55e+DBR4DbaCJdtRKAbE9vYYamd
+/+qgMQdqsWJ7D0aVao0f6IcGUDL7Bn2qd4phrLtCpyOhV8hOr17WukTQlDHCU7VFAF9jLe
+Uu3rxmzZD94QRTJQAAAA5leGFya3VuQGJhcnlvbgECAw==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/nixos/modules/tests/probeuser_ed25519.pub b/nixos/modules/tests/probeuser_ed25519.pub
new file mode 100644
index 00000000..e9ba1bbd
--- /dev/null
+++ b/nixos/modules/tests/probeuser_ed25519.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD1GpUUiM4j1bDCGaWu3cch6ibh+Apx13oNby8VHblrKdcYgvAgUUn0FbUiGsQB1JR3C3B0MMoHWdXcPG9itLi23L4F1sqXxlurJ+UfLzuw2e3Tbsum8Fr0BF5mnt41dnibIhF6DuVCdB47JVZd8XvLY4LMFRvTz0g77YB2gUEOsOu+cmkNdRGIGmPygD0U693gHOR9G5KpM44NOuNdKKWENJTQ3mSSjlufLTu1YOwj6hskVUYAvM7mu3zojxP5utZ68DAD3kM9ADCsgrtyX0714f/n1xUFjB1Ay2AZ+OqxIds/ZirFE6OQr0EVICA2JvYhfInQ6TNk3Swh/b3aVSSQN8qml8nwj7PVZzfv8TwuRbQHkpLFqXv1x+1TGokhPWx95UOjfWvlR0rxX2SQC2wkU2omsRPIwNl5ugkXnHxhZcKBAz75Ozbg/e8FzA4nBy9qb4Fya1mFrLb7SOsEVWoDwyTDzM0RWIZpX/OUpJ+3dl61jKPmWT8ms2odKXlP2Pk= probeuser
--
GitLab