feat: optionally turn off authorized keys support in SSH server

If the specification has "allow_authorized_keys: false" (possibly
from new config setting "default_allow_authorized_keys"), the SSH
server configuration will tell the server to not consult a user's
authorized keys file at all.

Sponsored-by: author

1 files changed, 17 insertions, 0 deletions

diff --git a/src/spec.rs b/src/spec.rs
index 58d7550..332bf94 100644
--- a/src/spec.rs
+++ b/src/spec.rs
@@ -34,6 +34,7 @@ struct OneVmInputSpecification {
     pub networks: Option<Vec<String>>,
     pub ca_key: Option<PathBuf>,
     pub user_ca_pubkey: Option<PathBuf>,
+    pub allow_authorized_keys: Option<bool>,
 }
 
 impl OneVmInputSpecification {
@@ -61,6 +62,18 @@ impl OneVmInputSpecification {
         }
     }
 
+    fn allow_authorized_keys(&self, config: &Configuration) -> bool {
+        if let Ok(x) = get(
+            &self.allow_authorized_keys,
+            &config.default_allow_authorized_keys,
+            SpecificationError::NoAuthorizedKeys("".to_string()),
+        ) {
+            x
+        } else {
+            true
+        }
+    }
+
     fn base_image(
         &self,
         config: &Configuration,
@@ -215,6 +228,9 @@ pub struct Specification {
     /// Path to CA publicv key for verifying user certificates.
     pub user_ca_pubkey: Option<PathBuf>,
 
+    /// Allow SSH server to use per-user authorized keys files?
+    pub allow_authorized_keys: bool,
+
     /// List of networks to which host should be added.
     pub networks: Vec<String>,
 }
@@ -355,6 +371,7 @@ impl Specification {
             autostart: input.autostart(config),
             ca_key,
             user_ca_pubkey,
+            allow_authorized_keys: input.allow_authorized_keys(config),
             networks,
         };