bug#51487: The openssh service does not allow multiple authorized key files per user

[Vivien Kraus via Bug reports for GNU Guix]

Ludovic Courtès <l...@gnu.org> writes:
> I find it a bit hard to read.  What I had in mind is along these lines:
>
>   (match (openssh-authorized-keys config)
>     (((users _ ...) ...)
>      ;; Build a user/key-list mapping.
>      (let ((user-keys (fold (lambda (spec table)
>                               (match spec
>                                 ((user keys ...)
>                                  (vhash-cons user keys table))))
>                             vlist-null
>                             (openssh-authorized-keys config))))
>        ;; Coalesce the key lists associated with each user.
>        (map (lambda (user)
>               (concatenate (vhash-fold* cons '() user user-keys)))
>             users))))

That’s way cleaner. I didn’t know of vhash-fold*, it seems to save the
day!

(just fixing the final map function not to forget the user name in the
alist, and removing "spec")


From 7bc8abcfd5024f5269c36dc8cb44803eb0ab29ba Mon Sep 17 00:00:00 2001
From: Vivien Kraus <viv...@planete-kraus.eu>
Date: Fri, 29 Oct 2021 18:25:24 +0200
Subject: [PATCH] gnu: openssh-service: Collect all keys for all users.

* gnu/services/ssh.scm (extend-openssh-authorized-keys): ensure that no key is forgotten.
---
 gnu/services/ssh.scm | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index a018052eeb..92b470aa96 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -39,6 +39,7 @@ (define-module (gnu services ssh)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 match)
+  #:use-module (ice-9 vlist)
   #:export (lsh-configuration
             lsh-configuration?
             lsh-service
@@ -535,7 +536,19 @@ (define (extend-openssh-authorized-keys config keys)
   (openssh-configuration
    (inherit config)
    (authorized-keys
-    (append (openssh-authorized-keys config) keys))))
+    (match (openssh-authorized-keys config)
+      (((users _ ...) ...)
+       ;; Build a user/key-list mapping.
+       (let ((user-keys (fold (match-lambda*
+                                (((user keys ...) table)
+                                 (vhash-cons user keys table)))
+                              vlist-null
+                              (openssh-authorized-keys config))))
+         ;; Coalesce the key lists associated with each user.
+         (map (lambda (user)
+                `(,user
+                  ,@(concatenate (vhash-fold* cons '() user user-keys))))
+              users)))))))
 
 (define openssh-service-type
   (service-type (name 'openssh)
-- 
2.33.1


Vivien

signature.asc
Description: PGP signature