Got LDAP login working(needed to make sure nscd was the only app that loaded libnss_ldap.so)

master
noah metz 2023-11-26 14:58:54 -07:00
parent 7c351a0a04
commit 59e7e380ad
1 changed files with 32 additions and 134 deletions

@ -4,6 +4,7 @@
#:use-module (nongnu system linux-initrd)
#:use-module (nongnu packages linux)
#:use-module (guix gexp)
#:use-module (guix utils)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix build-system gnu)
@ -22,6 +23,7 @@
#:use-module (gnu services xorg)
#:use-module (gnu services base)
#:use-module (gnu packages linux)
#:use-module (gnu packages ssh)
#:use-module (gnu packages compression)
#:use-module (gnu packages libedit)
#:use-module (gnu packages hurd)
@ -29,6 +31,8 @@
#:use-module (gnu packages xorg)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages groff)
#:use-module (gnu packages gcc)
#:use-module (gnu packages commencement)
#:use-module (gnu packages security-token)
#:use-module (gnu packages vim)
#:use-module (gnu packages certs)
@ -66,130 +70,6 @@
#:export (%metznet-base-server-system)
#:export (%metznet-base-desktop-system))
(define openssh-ldap
(package
(name "openssh")
(version "9.3p1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
"openssh-" version ".tar.gz"))
(patches (search-patches "openssh-hurd.patch"
"openssh-trust-guix-store-directory.patch"))
(sha256
(base32
"1a7qia3c255igny5kf00m5zxkp69lf1w6qjsv3rm2sm705vvmfp9"))))
(build-system gnu-build-system)
(native-inputs (list groff pkg-config))
(propagated-inputs (list nss-pam-ldapd))
(inputs `(("libedit" ,libedit)
("openssl" ,openssl)
,@(if (hurd-target?)
'()
`(("pam" ,linux-pam)
("libfido2" ,libfido2))) ;fails to build on GNU/Hurd
("mit-krb5" ,mit-krb5)
("zlib" ,zlib)
("xauth" ,xauth))) ; for 'ssh -X' and 'ssh -Y'
(arguments
`(#:test-target "tests"
;; Otherwise, the test scripts try to use a nonexistent directory and
;; fail.
#:make-flags '("REGRESSTMP=\"$${BUILDDIR}/regress\"")
#:configure-flags `("--sysconfdir=/etc/ssh"
;; Default value of 'PATH' used by sshd.
"--with-default-path=/run/current-system/profile/bin"
;; configure needs to find krb5-config.
,(string-append "--with-kerberos5="
(assoc-ref %build-inputs "mit-krb5")
"/bin")
;; libedit is needed for sftp completion.
"--with-libedit"
;; Enable PAM support in sshd.
,,@(if (hurd-target?)
'()
'("--with-pam"
;; Support creation and use of ecdsa-sk,
;; ed25519-sk keys.
"--with-security-key-builtin"))
;; "make install" runs "install -s" by default,
;; which doesn't work for cross-compiled binaries
;; because it invokes 'strip' instead of
;; 'TRIPLET-strip'. Work around this.
,,@(if (%current-target-system)
'("--disable-strip")
'()))
#:phases
(modify-phases %standard-phases
(add-after 'configure 'reset-/var/empty
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
(substitute* "Makefile"
(("PRIVSEP_PATH=/var/empty")
(string-append "PRIVSEP_PATH=" out "/var/empty"))))))
(add-after 'configure 'set-store-location
(lambda* _
(substitute* "misc.c"
(("@STORE_DIRECTORY@")
(string-append "\"" (%store-directory) "\"")))))
(add-before 'check 'patch-tests
(lambda _
(substitute* "regress/test-exec.sh"
(("/bin/sh") (which "sh")))
;; Remove 't-exec' regress target which requires user 'sshd'.
(substitute* (list "Makefile"
"regress/Makefile")
(("^(tests:.*) t-exec(.*)" all pre post)
(string-append pre post)))))
(replace 'install
(lambda* (#:key outputs (make-flags '()) #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
;; Install without host keys and system configuration files.
;; This will install /var/empty to the store, which is needed
;; by the system openssh-service-type.
(apply invoke "make" "install-nosysconf" make-flags)
(with-directory-excursion "contrib"
(chmod "ssh-copy-id" #o555)
(install-file "ssh-copy-id"
(string-append out "/bin/"))
(install-file "ssh-copy-id.1"
(string-append out "/share/man/man1/")))))))))
(synopsis "Client and server for the secure shell (ssh) protocol")
(description
"The SSH2 protocol implemented in OpenSSH is standardised by the
IETF secsh working group and is specified in several RFCs and drafts.
It is composed of three layered components:
The transport layer provides algorithm negotiation and a key exchange.
The key exchange includes server authentication and results in a
cryptographically secured connection: it provides integrity, confidentiality
and optional compression.
The user authentication layer uses the established connection and relies on
the services provided by the transport layer. It provides several mechanisms
for user authentication. These include traditional password authentication
as well as public-key or host-based authentication mechanisms.
The connection layer multiplexes many different concurrent channels over the
authenticated connection and allows tunneling of login sessions and
TCP-forwarding. It provides a flow control service for these channels.
Additionally, various channel-specific options can be negotiated.")
(license (license:non-copyleft "file://LICENSE"
"See LICENSE in the distribution."))
(properties
'((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/")))
(home-page "https://www.openssh.com/")))
(define %domain-realm "METZNET.CA")
(define %domain-name "metznet.ca")
@ -216,7 +96,7 @@ Additionally, various channel-specific options can be negotiated.")
(name "usb")))
%base-groups))
(define %metznet-base-packages (append (list openssh-ldap nss-pam-ldapd glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
(define %metznet-base-packages (append (list binutils openssh nss-pam-ldapd strace openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
(define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
@ -269,8 +149,6 @@ Additionally, various channel-specific options can be negotiated.")
(shadow services)
(group services))))
; 1) need to create user directory on login
; 2) need to have /bin/zsh available to use as shell
(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so"))
@ -280,9 +158,14 @@ Additionally, various channel-specific options can be negotiated.")
(let ((sufficient
(pam-entry
(control "sufficient")
(module pam-ldap-module))))
(module pam-ldap-module)))
(required
(pam-entry
(control "required")
(module "pam_mkhomedir.so"))))
(pam-service
(inherit pam)
(session (cons required (pam-service-account pam)))
(password (cons sufficient (pam-service-account pam)))))
pam)))
@ -310,17 +193,31 @@ Additionally, various channel-specific options can be negotiated.")
(list
(simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh"))
(service openssh-service-type (openssh-configuration
(openssh openssh-ldap)
(log-level 'debug3)
(extra-content "KerberosAuthentication yes")))
(service krb5-service-type %metznet-krb5-config)
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
(service metznet-service-type (list "su" "login" "sshd" "passwd"))
(service nslcd-service-type %metznet-nslcd-config)))
(service nslcd-service-type %metznet-nslcd-config)
(service metznet-service-type (list "su" "login" "sshd" "passwd"))))
(define %metznet-nscd-configuration (nscd-configuration
(caches (append (list
(nscd-cache
(database 'passwd)
(positive-time-to-live (* 3600 12))
(negative-time-to-live 20)
(persistent? #t))
(nscd-cache
(database 'group)
(positive-time-to-live (* 3600 12))
(negative-time-to-live 20)
(persistent? #t))
)
%nscd-default-caches))))
(define %metznet-desktop-services
(append %metznet-services
(modify-services %desktop-services
(nscd-service-type config => %metznet-nscd-configuration)
(guix-service-type config => (guix-configuration
(inherit config)
(substitute-urls
@ -345,7 +242,7 @@ Additionally, various channel-specific options can be negotiated.")
(network-manager-configuration (inherit config)
(vpn-plugins (list network-manager-openvpn)))))))
(define %metznet-server-services (append (append %metznet-services
(define %metznet-server-services (append (append %metznet-services
(list
(service dhcp-client-service-type)
(openvpn-client-service
@ -354,7 +251,8 @@ Additionally, various channel-specific options can be negotiated.")
(pid-file "/var/run/openvpn/client.pid")
(persist-key? #f)
(tls-auth "/etc/openvpn/ta.key"))))
%base-services)))
(modify-services %base-services
(nscd-service-type config => %metznet-nscd-configuration)))))
(define %metznet-base-operating-system
(operating-system