diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-05-29 20:16:51 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-05-29 20:16:51 +0200 |
| commit | 08dc2e56bf4ad487709ec3849fe97ec24d5b35fe (patch) | |
| tree | 9c46650bbe0448accb0fabcf1b980cd598fdebbf /data | |
| parent | 2ca38e7c8d2487446d64b3ae945705012a2dc742 (diff) | |
| parent | 4b4bbd73b84c2c478c7752f58e7f66ec6d90459e (diff) | |
| download | vyos-1x-08dc2e56bf4ad487709ec3849fe97ec24d5b35fe.tar.gz vyos-1x-08dc2e56bf4ad487709ec3849fe97ec24d5b35fe.zip | |
Merge pull request #4266 from takehaya/T6013-trusted-ca-keys
T6013: Add support for AuthorizedPrincipalsFile to trusted_user_ca_key
Diffstat (limited to 'data')
| -rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 4 | ||||
| -rw-r--r-- | data/templates/login/authorized_keys.j2 | 1 | ||||
| -rw-r--r-- | data/templates/login/authorized_principals.j2 | 4 | ||||
| -rw-r--r-- | data/templates/ssh/sshd_config.j2 | 16 |
4 files changed, 22 insertions, 3 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 7506a0908..ccfc022f4 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -34,6 +34,7 @@ "ipsec": ["vpn_ipsec"], "openconnect": ["vpn_openconnect"], "rpki": ["protocols_rpki"], + "ssh": ["service_ssh"], "sstp": ["vpn_sstp"], "sstpc": ["interfaces_sstpc"], "stunnel": ["service_stunnel"] @@ -73,6 +74,9 @@ "system_ipv6": { "sysctl": ["system_sysctl"] }, + "system_login": { + "ssh": ["service_ssh"] + }, "system_option": { "ip_ipv6": ["system_ip", "system_ipv6"], "sysctl": ["system_sysctl"] diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 index 695b66abe..5b15f066a 100644 --- a/data/templates/login/authorized_keys.j2 +++ b/data/templates/login/authorized_keys.j2 @@ -1,5 +1,4 @@ ### Automatically generated by system_login.py ### - {% if authentication.public_keys is vyos_defined %} {% for key, key_options in authentication.public_keys.items() %} {# The whitespace after options is wisely chosen #} diff --git a/data/templates/login/authorized_principals.j2 b/data/templates/login/authorized_principals.j2 new file mode 100644 index 000000000..16525e808 --- /dev/null +++ b/data/templates/login/authorized_principals.j2 @@ -0,0 +1,4 @@ +### Automatically generated by system_login.py ### +{% if authentication.principal is vyos_defined %} +{{ '\n'.join(authentication.principal) }} +{% endif %} diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2 index 7e44efae8..1315bf2cb 100644 --- a/data/templates/ssh/sshd_config.j2 +++ b/data/templates/ssh/sshd_config.j2 @@ -111,6 +111,18 @@ ClientAliveInterval {{ client_keepalive_interval }} RekeyLimit {{ rekey.data }}M {{ rekey.time + 'M' if rekey.time is vyos_defined }} {% endif %} -{% if trusted_user_ca_key is vyos_defined %} -TrustedUserCAKeys /etc/ssh/trusted_user_ca_key +{% if trusted_user_ca is vyos_defined %} +# Specifies a file containing public keys of certificate authorities that are +# trusted to sign user certificates for authentication +TrustedUserCAKeys {{ get_default_config_file('sshd_user_ca') }} + +# The default is "none", i.e. not to use a principals file - in this case, the +# username of the user must appear in a certificate's principals list for it +# to be accepted. ".ssh/authorized_principals" means a per-user configuration, +# relative to $HOME. +{% set filename = 'none' %} +{% if has_principals is vyos_defined %} +{% set filename = '.ssh/authorized_principals' %} +{% endif %} +AuthorizedPrincipalsFile {{ filename }} {% endif %} |