diff options
author | Lars Wirzenius <liw@liw.fi> | 2022-04-29 18:59:11 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2022-04-29 18:59:11 +0300 |
commit | 8aeb0f0d40f421befb0b009e51b0c05937239c6c (patch) | |
tree | c597f8a109b1a921c0f953dbc7aee7704ba8023e /src/cloudinit.rs | |
parent | 99b4c180e7932cfe180323ba35956b1184212f51 (diff) | |
download | vmadm-8aeb0f0d40f421befb0b009e51b0c05937239c6c.tar.gz |
feat: optionally turn off authorized keys support in SSH server
If the specification has "allow_authorized_keys: false" (possibly
from new config setting "default_allow_authorized_keys"), the SSH
server configuration will tell the server to not consult a user's
authorized keys file at all.
Sponsored-by: author
Diffstat (limited to 'src/cloudinit.rs')
-rw-r--r-- | src/cloudinit.rs | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/cloudinit.rs b/src/cloudinit.rs index f5db9bf..c748dd1 100644 --- a/src/cloudinit.rs +++ b/src/cloudinit.rs @@ -45,6 +45,7 @@ obj = yaml.safe_load(open(filename)) ssh_keys = obj.get("ssh_keys", {}) user_ca_pubkey = obj.get("user_ca_pubkey", {}) +allow_authorized_keys = obj.get("allow_authorized_keys", True) keys = [] certs = [] @@ -101,6 +102,8 @@ with open(config, "w") as f: if user_ca_pubkey: log(f"trustedusercakeys {user_ca_filename}") f.write(f"trustedusercakeys {user_ca_filename}\n") + if not allow_authorized_keys: + f.write("authorizedkeysfile none\n") f.write(data) log("vmadm cloud-init script ending") @@ -187,6 +190,8 @@ struct Userdata { #[serde(skip_serializing_if = "Option::is_none")] user_ca_pubkey: Option<String>, + allow_authorized_keys: bool, + runcmd: Vec<String>, } @@ -203,6 +208,7 @@ impl Userdata { ssh_authorized_keys: spec.ssh_keys.clone(), ssh_keys: Hostkeys::from(spec)?, user_ca_pubkey, + allow_authorized_keys: spec.allow_authorized_keys, runcmd: vec![ format!("python3 -c {}", quote(SCRIPT)), "systemctl reload ssh".to_string(), |