From 0d168cfb5f382abae2a5eea323385112571004da Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sat, 12 Feb 2022 13:41:03 +0100 Subject: [PATCH] ssh allow_users --- bundles/ssh/files/sshd_config | 2 ++ bundles/ssh/items.py | 4 ++++ bundles/ssh/metadata.py | 13 +++++++++++++ 3 files changed, 19 insertions(+) create mode 100644 bundles/ssh/metadata.py diff --git a/bundles/ssh/files/sshd_config b/bundles/ssh/files/sshd_config index 4fe2436..a84653b 100644 --- a/bundles/ssh/files/sshd_config +++ b/bundles/ssh/files/sshd_config @@ -13,6 +13,8 @@ ChallengeResponseAuthentication no AuthorizedKeysFile .ssh/authorized_keys UsePAM yes +AllowUsers ${' '.join(users)} + PermitTTY yes TCPKeepAlive yes ClientAliveInterval 30 diff --git a/bundles/ssh/items.py b/bundles/ssh/items.py index 554c296..e47f47d 100644 --- a/bundles/ssh/items.py +++ b/bundles/ssh/items.py @@ -2,6 +2,10 @@ if not node.metadata.get('FIXME_dont_touch_sshd', False): # on debian bullseye raspberry images, starting the systemd ssh # daemon seems to collide with an existing sysv daemon files['/etc/ssh/sshd_config'] = { + 'content_type': 'mako', + 'context': { + 'users': sorted(node.metadata.get('ssh/allow_users')), + }, 'triggers': [ 'svc_systemd:ssh:restart' ], diff --git a/bundles/ssh/metadata.py b/bundles/ssh/metadata.py new file mode 100644 index 0000000..5a112a1 --- /dev/null +++ b/bundles/ssh/metadata.py @@ -0,0 +1,13 @@ +@metadata_reactor.provides( + 'ssh/allow_users', +) +def users(metadata): + return { + 'ssh': { + 'allow_users': set( + name + for name, conf in metadata.get('users').items() + if conf.get('authorized_keys', []) or conf.get('authorized_users', []) + ), + }, + }