Skip to content

Commit c8fe417

Browse files
JakujeJakuje
committed
Add systemd ephemeral authorized_keys to the instantiated service file on Fedora
Based on the following Fedora change pulling the systemd upstream service file: https://src.fedoraproject.org/rpms/openssh/pull-request/101 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
1 parent 35263d9 commit c8fe417

File tree

3 files changed

+17
-5
lines changed

3 files changed

+17
-5
lines changed

templates/sshd@.service.j2

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -24,15 +24,23 @@ EnvironmentFile=-{{ file }}
2424
{% endfor %}
2525
{% endif %}
2626
ExecStart=-{{ sshd_binary }} -i
27-
{%- for var in __sshd_environment_variable %} ${{ var }}{% endfor %} -f
28-
{%- if sshd_main_config_file is not none and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
29-
{{- sshd_main_config_file }}
30-
{% else %}
31-
{{- sshd_config_file }}
27+
{%- for var in __sshd_environment_variable %} ${{ var }}{% endfor -%}
28+
{%- if sshd_main_config_file is not none and sshd_config_file != sshd_main_config_file %}
29+
-f {% if and sshd_config_file | dirname == sshd_main_config_file ~ '.d' %}
30+
{{ sshd_main_config_file -}}
31+
{%- else -%}
32+
{{ sshd_config_file -}}
33+
{%- endif -%}
34+
{%- endif -%}
35+
{%- if __sshd_service_ephemeral_authorized_keys %}
36+
-o "AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh/authorized_keys"
3237
{% endif %}
3338
StandardInput=socket
3439
{% if __sshd_runtime_directory is not none %}
3540
RuntimeDirectory={{ __sshd_runtime_directory }}
3641
RuntimeDirectoryPreserve=yes
3742
RuntimeDirectoryMode={{ __sshd_runtime_directory_mode }}
3843
{% endif %}
44+
{% if __sshd_service_ephemeral_authorized_keys %}
45+
ImportCredential=ssh.ephemeral-authorized_keys-all
46+
{% endif %}

vars/Fedora.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,3 +32,4 @@ __sshd_service_wants:
3232
- sshd-keygen.target
3333
- ssh-host-keys-migration.service
3434
__sshd_service_restart_timeout: 42s
35+
__sshd_service_ephemeral_authorized_keys: "{{ ansible_facts['distribution_version'] is version('43', '>=') }}"

vars/main.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,9 @@ __sshd_service_wants: ~
8787
# The systemd service RestartSec directive
8888
__sshd_service_restart_timeout: ~
8989

90+
# Plug the systemd ephemeral authorized keys to the instantiated service file
91+
__sshd_service_ephemeral_authorized_keys: false
92+
9093
# The systemd socket file does not accept the connection
9194
__sshd_socket_accept: true
9295

0 commit comments

Comments
 (0)