feat: optionally turn off authorized keys support in SSH server

If the specification has "allow_authorized_keys: false" (possibly
from new config setting "default_allow_authorized_keys"), the SSH
server configuration will tell the server to not consult a user's
authorized keys file at all.

Sponsored-by: author

3 files changed, 26 insertions, 0 deletions

diff --git a/src/cloudinit.rs b/src/cloudinit.rs
index f5db9bf..c748dd1 100644
--- a/src/cloudinit.rs
+++ b/src/cloudinit.rs
@@ -45,6 +45,7 @@ obj = yaml.safe_load(open(filename))
 
 ssh_keys = obj.get("ssh_keys", {})
 user_ca_pubkey = obj.get("user_ca_pubkey", {})
+allow_authorized_keys = obj.get("allow_authorized_keys", True)
 
 keys = []
 certs = []
@@ -101,6 +102,8 @@ with open(config, "w") as f:
     if user_ca_pubkey:
         log(f"trustedusercakeys {user_ca_filename}")
         f.write(f"trustedusercakeys {user_ca_filename}\n")
+    if not allow_authorized_keys:
+        f.write("authorizedkeysfile none\n")
     f.write(data)
 
 log("vmadm cloud-init script ending")
@@ -187,6 +190,8 @@ struct Userdata {
     #[serde(skip_serializing_if = "Option::is_none")]
     user_ca_pubkey: Option<String>,
 
+    allow_authorized_keys: bool,
+
     runcmd: Vec<String>,
 }
 
@@ -203,6 +208,7 @@ impl Userdata {
             ssh_authorized_keys: spec.ssh_keys.clone(),
             ssh_keys: Hostkeys::from(spec)?,
             user_ca_pubkey,
+            allow_authorized_keys: spec.allow_authorized_keys,
             runcmd: vec![
                 format!("python3 -c {}", quote(SCRIPT)),
                 "systemctl reload ssh".to_string(),
diff --git a/src/config.rs b/src/config.rs
index 37cd98e..8de4751 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -44,6 +44,9 @@ pub struct Configuration {
 
     /// Path name to SSH CA public key for verifying SSH user certificates.
     pub user_ca_pubkey: Option<PathBuf>,
+
+    /// Should SSH authorized keys files be allowed by default?
+    pub default_allow_authorized_keys: Option<bool>,
 }
 
 /// Errors from this module.
diff --git a/src/spec.rs b/src/spec.rs
index 58d7550..332bf94 100644
--- a/src/spec.rs
+++ b/src/spec.rs
@@ -34,6 +34,7 @@ struct OneVmInputSpecification {
     pub networks: Option<Vec<String>>,
     pub ca_key: Option<PathBuf>,
     pub user_ca_pubkey: Option<PathBuf>,
+    pub allow_authorized_keys: Option<bool>,
 }
 
 impl OneVmInputSpecification {
@@ -61,6 +62,18 @@ impl OneVmInputSpecification {
         }
     }
 
+    fn allow_authorized_keys(&self, config: &Configuration) -> bool {
+        if let Ok(x) = get(
+            &self.allow_authorized_keys,
+            &config.default_allow_authorized_keys,
+            SpecificationError::NoAuthorizedKeys("".to_string()),
+        ) {
+            x
+        } else {
+            true
+        }
+    }
+
     fn base_image(
         &self,
         config: &Configuration,
@@ -215,6 +228,9 @@ pub struct Specification {
     /// Path to CA publicv key for verifying user certificates.
     pub user_ca_pubkey: Option<PathBuf>,
 
+    /// Allow SSH server to use per-user authorized keys files?
+    pub allow_authorized_keys: bool,
+
     /// List of networks to which host should be added.
     pub networks: Vec<String>,
 }
@@ -355,6 +371,7 @@ impl Specification {
             autostart: input.autostart(config),
             ca_key,
             user_ca_pubkey,
+            allow_authorized_keys: input.allow_authorized_keys(config),
             networks,
         };