From 8aeb0f0d40f421befb0b009e51b0c05937239c6c Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Fri, 29 Apr 2022 18:59:11 +0300
Subject: feat: optionally turn off authorized keys support in SSH server

If the specification has "allow_authorized_keys: false" (possibly
from new config setting "default_allow_authorized_keys"), the SSH
server configuration will tell the server to not consult a user's
authorized keys file at all.

Sponsored-by: author
---
 src/cloudinit.rs |  6 ++++++
 src/config.rs    |  3 +++
 src/spec.rs      | 17 +++++++++++++++++
 vmadm.md         |  5 ++++-
 4 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/src/cloudinit.rs b/src/cloudinit.rs
index f5db9bf..c748dd1 100644
--- a/src/cloudinit.rs
+++ b/src/cloudinit.rs
@@ -45,6 +45,7 @@ obj = yaml.safe_load(open(filename))
 
 ssh_keys = obj.get("ssh_keys", {})
 user_ca_pubkey = obj.get("user_ca_pubkey", {})
+allow_authorized_keys = obj.get("allow_authorized_keys", True)
 
 keys = []
 certs = []
@@ -101,6 +102,8 @@ with open(config, "w") as f:
     if user_ca_pubkey:
         log(f"trustedusercakeys {user_ca_filename}")
         f.write(f"trustedusercakeys {user_ca_filename}\n")
+    if not allow_authorized_keys:
+        f.write("authorizedkeysfile none\n")
     f.write(data)
 
 log("vmadm cloud-init script ending")
@@ -187,6 +190,8 @@ struct Userdata {
     #[serde(skip_serializing_if = "Option::is_none")]
     user_ca_pubkey: Option<String>,
 
+    allow_authorized_keys: bool,
+
     runcmd: Vec<String>,
 }
 
@@ -203,6 +208,7 @@ impl Userdata {
             ssh_authorized_keys: spec.ssh_keys.clone(),
             ssh_keys: Hostkeys::from(spec)?,
             user_ca_pubkey,
+            allow_authorized_keys: spec.allow_authorized_keys,
             runcmd: vec![
                 format!("python3 -c {}", quote(SCRIPT)),
                 "systemctl reload ssh".to_string(),
diff --git a/src/config.rs b/src/config.rs
index 37cd98e..8de4751 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -44,6 +44,9 @@ pub struct Configuration {
 
     /// Path name to SSH CA public key for verifying SSH user certificates.
     pub user_ca_pubkey: Option<PathBuf>,
+
+    /// Should SSH authorized keys files be allowed by default?
+    pub default_allow_authorized_keys: Option<bool>,
 }
 
 /// Errors from this module.
diff --git a/src/spec.rs b/src/spec.rs
index 58d7550..332bf94 100644
--- a/src/spec.rs
+++ b/src/spec.rs
@@ -34,6 +34,7 @@ struct OneVmInputSpecification {
     pub networks: Option<Vec<String>>,
     pub ca_key: Option<PathBuf>,
     pub user_ca_pubkey: Option<PathBuf>,
+    pub allow_authorized_keys: Option<bool>,
 }
 
 impl OneVmInputSpecification {
@@ -61,6 +62,18 @@ impl OneVmInputSpecification {
         }
     }
 
+    fn allow_authorized_keys(&self, config: &Configuration) -> bool {
+        if let Ok(x) = get(
+            &self.allow_authorized_keys,
+            &config.default_allow_authorized_keys,
+            SpecificationError::NoAuthorizedKeys("".to_string()),
+        ) {
+            x
+        } else {
+            true
+        }
+    }
+
     fn base_image(
         &self,
         config: &Configuration,
@@ -215,6 +228,9 @@ pub struct Specification {
     /// Path to CA publicv key for verifying user certificates.
     pub user_ca_pubkey: Option<PathBuf>,
 
+    /// Allow SSH server to use per-user authorized keys files?
+    pub allow_authorized_keys: bool,
+
     /// List of networks to which host should be added.
     pub networks: Vec<String>,
 }
@@ -355,6 +371,7 @@ impl Specification {
             autostart: input.autostart(config),
             ca_key,
             user_ca_pubkey,
+            allow_authorized_keys: input.allow_authorized_keys(config),
             networks,
         };
 
diff --git a/vmadm.md b/vmadm.md
index 9c6d3aa..e24e0db 100644
--- a/vmadm.md
+++ b/vmadm.md
@@ -88,6 +88,7 @@ authorized_keys:
     "default_networks": [
         "network=default"
     ],
+    "default_allow_authorized_keys": null,
     "ca_key": "~/ca_key",
     "user_ca_pubkey": "~/user_ca_pubkey",
     "authorized_keys": [
@@ -125,7 +126,8 @@ foo:
         "generate_host_certificate": true,
         "autostart": true,
         "ca_key": "~/other_ca",
-        "user_ca_pubkey": "~/user_ca_pubkey"
+        "user_ca_pubkey": "~/user_ca_pubkey",
+        "allow_authorized_keys": true
     }
 ]
 ~~~
@@ -217,6 +219,7 @@ ssh_keys:
   ed25519_certificate: ed25519-certificate
 user_ca_pubkey: >
   ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChZ6mVuGLBpW7SarFU/Tu6TemquNxatbMUZuTk8RqVtbkvTKeWFZ5h5tntWPHgST8ykYFaIrr8eYuKQkKdBxHW7H8kejTNwRu/rDbRYX5wxTn4jw4RVopGTpxMlGrWeu5CkWPoLAhQtIzzUAnrDGp9sqG6P1G4ohI61wZMFQta9R2uNxXnnes+e2r4Y78GxmlQH/o0ouI8fBnsxRK0IoSfFs2LutO6wjyzR59FdC9TT7wufd5kXMRzxsmPGeXzNcaqvHGxBvRucGFclCkqSRwk3GNEpXZQhlCIoTIoRu0IPAp/430tlx9zJMhhwDlZsOOXRrFYpdWVMSTAAKECLSYx liw@exolobe1
+allow_authorized_keys: true
 ~~~
 
 # Create a virtual machine
-- 
cgit v1.2.1