Added openssh-ldap to test libnss-pam-ldapd as an propagated-input to openssh

master
noah metz 2023-11-24 11:36:43 -07:00
parent 34e9460454
commit 7c351a0a04
2 changed files with 206 additions and 34 deletions

@ -12,4 +12,4 @@ VM_CPU ?= 4
.PHONY: machines/%
machines/%: machines/%.qcow2
$(eval OVMF := $(shell guix build ovmf))
qemu-system-x86_64 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin
qemu-system-x86_64 -nic bridge,br=virbr0 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin

@ -1,38 +1,52 @@
(define-module (system base-system)
#:use-module (metznet)
#:use-module (gnu)
#:use-module (guix gexp)
#:use-module (ice-9 exceptions)
#:use-module (nongnu system linux-initrd)
#:use-module (nongnu packages linux)
#:use-module (gnu packages linux)
#:use-module (gnu packages vim)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix build-system gnu)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (gnu)
#:use-module (gnu system setuid)
#:use-module (gnu system nss)
#:use-module (gnu packages certs)
#:use-module (gnu system pam)
#:use-module (gnu services pm)
#:use-module (gnu services authentication)
#:use-module (gnu services vpn)
#:use-module (gnu packages vpn)
#:use-module (gnu services networking)
#:use-module (gnu packages networking)
#:use-module (gnu services ssh)
#:use-module (gnu services kerberos)
#:use-module (gnu services desktop)
#:use-module (gnu services xorg)
#:use-module (gnu services base)
#:use-module (gnu packages linux)
#:use-module (gnu packages compression)
#:use-module (gnu packages libedit)
#:use-module (gnu packages hurd)
#:use-module (gnu packages tls)
#:use-module (gnu packages xorg)
#:use-module (gnu packages pkg-config)
#:use-module (gnu packages groff)
#:use-module (gnu packages security-token)
#:use-module (gnu packages vim)
#:use-module (gnu packages certs)
#:use-module (gnu packages vpn)
#:use-module (gnu packages networking)
#:use-module (gnu packages dns)
#:use-module (gnu packages base)
#:use-module (gnu packages openldap)
#:use-module (gnu services kerberos)
#:use-module (gnu packages kerberos)
#:use-module (gnu packages admin)
#:use-module (gnu packages shells)
#:use-module (gnu services desktop)
#:use-module (gnu packages gnome)
#:use-module (gnu packages wm)
#:use-module (gnu services xorg)
#:use-module (gnu packages suckless)
#:use-module (gnu packages gnuzilla)
#:use-module (gnu packages terminals)
#:use-module (gnu packages virtualization)
#:use-module (gnu packages version-control)
#:use-module (nongnu system linux-initrd)
#:use-module (gnu system setuid)
#:use-module (ice-9 exceptions)
#:export (%domain-realm)
#:export (%domain-name)
#:export (%domain-kadmin)
@ -52,6 +66,130 @@
#:export (%metznet-base-server-system)
#:export (%metznet-base-desktop-system))
(define openssh-ldap
(package
(name "openssh")
(version "9.3p1")
(source (origin
(method url-fetch)
(uri (string-append "mirror://openbsd/OpenSSH/portable/"
"openssh-" version ".tar.gz"))
(patches (search-patches "openssh-hurd.patch"
"openssh-trust-guix-store-directory.patch"))
(sha256
(base32
"1a7qia3c255igny5kf00m5zxkp69lf1w6qjsv3rm2sm705vvmfp9"))))
(build-system gnu-build-system)
(native-inputs (list groff pkg-config))
(propagated-inputs (list nss-pam-ldapd))
(inputs `(("libedit" ,libedit)
("openssl" ,openssl)
,@(if (hurd-target?)
'()
`(("pam" ,linux-pam)
("libfido2" ,libfido2))) ;fails to build on GNU/Hurd
("mit-krb5" ,mit-krb5)
("zlib" ,zlib)
("xauth" ,xauth))) ; for 'ssh -X' and 'ssh -Y'
(arguments
`(#:test-target "tests"
;; Otherwise, the test scripts try to use a nonexistent directory and
;; fail.
#:make-flags '("REGRESSTMP=\"$${BUILDDIR}/regress\"")
#:configure-flags `("--sysconfdir=/etc/ssh"
;; Default value of 'PATH' used by sshd.
"--with-default-path=/run/current-system/profile/bin"
;; configure needs to find krb5-config.
,(string-append "--with-kerberos5="
(assoc-ref %build-inputs "mit-krb5")
"/bin")
;; libedit is needed for sftp completion.
"--with-libedit"
;; Enable PAM support in sshd.
,,@(if (hurd-target?)
'()
'("--with-pam"
;; Support creation and use of ecdsa-sk,
;; ed25519-sk keys.
"--with-security-key-builtin"))
;; "make install" runs "install -s" by default,
;; which doesn't work for cross-compiled binaries
;; because it invokes 'strip' instead of
;; 'TRIPLET-strip'. Work around this.
,,@(if (%current-target-system)
'("--disable-strip")
'()))
#:phases
(modify-phases %standard-phases
(add-after 'configure 'reset-/var/empty
(lambda* (#:key outputs #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
(substitute* "Makefile"
(("PRIVSEP_PATH=/var/empty")
(string-append "PRIVSEP_PATH=" out "/var/empty"))))))
(add-after 'configure 'set-store-location
(lambda* _
(substitute* "misc.c"
(("@STORE_DIRECTORY@")
(string-append "\"" (%store-directory) "\"")))))
(add-before 'check 'patch-tests
(lambda _
(substitute* "regress/test-exec.sh"
(("/bin/sh") (which "sh")))
;; Remove 't-exec' regress target which requires user 'sshd'.
(substitute* (list "Makefile"
"regress/Makefile")
(("^(tests:.*) t-exec(.*)" all pre post)
(string-append pre post)))))
(replace 'install
(lambda* (#:key outputs (make-flags '()) #:allow-other-keys)
(let ((out (assoc-ref outputs "out")))
;; Install without host keys and system configuration files.
;; This will install /var/empty to the store, which is needed
;; by the system openssh-service-type.
(apply invoke "make" "install-nosysconf" make-flags)
(with-directory-excursion "contrib"
(chmod "ssh-copy-id" #o555)
(install-file "ssh-copy-id"
(string-append out "/bin/"))
(install-file "ssh-copy-id.1"
(string-append out "/share/man/man1/")))))))))
(synopsis "Client and server for the secure shell (ssh) protocol")
(description
"The SSH2 protocol implemented in OpenSSH is standardised by the
IETF secsh working group and is specified in several RFCs and drafts.
It is composed of three layered components:
The transport layer provides algorithm negotiation and a key exchange.
The key exchange includes server authentication and results in a
cryptographically secured connection: it provides integrity, confidentiality
and optional compression.
The user authentication layer uses the established connection and relies on
the services provided by the transport layer. It provides several mechanisms
for user authentication. These include traditional password authentication
as well as public-key or host-based authentication mechanisms.
The connection layer multiplexes many different concurrent channels over the
authenticated connection and allows tunneling of login sessions and
TCP-forwarding. It provides a flow control service for these channels.
Additionally, various channel-specific options can be negotiated.")
(license (license:non-copyleft "file://LICENSE"
"See LICENSE in the distribution."))
(properties
'((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/")))
(home-page "https://www.openssh.com/")))
(define %domain-realm "METZNET.CA")
(define %domain-name "metznet.ca")
@ -78,7 +216,7 @@
(name "usb")))
%base-groups))
(define %metznet-base-packages (append (list glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
(define %metznet-base-packages (append (list openssh-ldap nss-pam-ldapd glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages))
(define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages))
@ -124,8 +262,8 @@
"RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\""))
(define %metznet-name-service-switch
(let ((services (list (name-service (name "files"))
(name-service (name "ldap")))))
(let ((services (list (name-service (name "ldap"))
(name-service (name "files")))))
(name-service-switch
(password services)
(shadow services)
@ -134,18 +272,54 @@
; 1) need to create user directory on login
; 2) need to have /bin/zsh available to use as shell
(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so"))
(define (metznet-pam-service config)
(lambda (pam)
(if (member (pam-service-name pam) config)
(let ((sufficient
(pam-entry
(control "sufficient")
(module pam-ldap-module))))
(pam-service
(inherit pam)
(password (cons sufficient (pam-service-account pam)))))
pam)))
(define (metznet-pam-services config)
(list (metznet-pam-service config)))
(define metznet-service-type
(service-type
(name 'metznet-service)
(description "MetzNet Services")
(extensions
(list (service-extension pam-root-service-type metznet-pam-services)))
(default-value '())))
(define %metznet-nslcd-config (nslcd-configuration
(base "dc=metznet,dc=ca")
(log '("/var/log/nslcd" debug))
(pam-services (list "su" "login" "password" "ssh" "passwd"))
(pam-services (list "su" "login" "sshd" "passwd"))
(filters (list '(group "(objectClass=posixGroupAux)")))
(binddn (or (getenv "LDAP_BINDDN") ""))
(bindpw (or (getenv "LDAP_BINDPW") ""))
(uri (list "ldap://ldap.metznet.ca"))))
(define %metznet-services
(list
(simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh"))
(service openssh-service-type (openssh-configuration
(openssh openssh-ldap)
(log-level 'debug3)
(extra-content "KerberosAuthentication yes")))
(service krb5-service-type %metznet-krb5-config)
(service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000)))
(service metznet-service-type (list "su" "login" "sshd" "passwd"))
(service nslcd-service-type %metznet-nslcd-config)))
(define %metznet-desktop-services
(append (list (service openssh-service-type)
(service krb5-service-type %metznet-krb5-config)
(service nslcd-service-type %metznet-nslcd-config))
(append %metznet-services
(modify-services %desktop-services
(guix-service-type config => (guix-configuration
(inherit config)
@ -171,18 +345,16 @@
(network-manager-configuration (inherit config)
(vpn-plugins (list network-manager-openvpn)))))))
(define %metznet-server-services (append (list
(service openssh-service-type)
(service krb5-service-type %metznet-krb5-config)
(service nslcd-service-type %metznet-nslcd-config)
(service dhcp-client-service-type)
(openvpn-client-service
#:config (openvpn-client-configuration
(openvpn openvpn)
(pid-file "/var/run/openvpn/client.pid")
(persist-key? #f)
(tls-auth "/etc/openvpn/ta.key"))))
%base-services))
(define %metznet-server-services (append (append %metznet-services
(list
(service dhcp-client-service-type)
(openvpn-client-service
#:config (openvpn-client-configuration
(openvpn openvpn)
(pid-file "/var/run/openvpn/client.pid")
(persist-key? #f)
(tls-auth "/etc/openvpn/ta.key"))))
%base-services)))
(define %metznet-base-operating-system
(operating-system
@ -218,7 +390,7 @@
(users %metznet-base-user-accounts)
(groups %metznet-base-groups)
(packages %metznet-base-packages)
(services %metznet-base-services)))
(services (append %metznet-services %base-services))))
(define %metznet-base-server-system
(operating-system