From 7c351a0a0493567abf8efa5202054209c127c486 Mon Sep 17 00:00:00 2001 From: Noah Metz Date: Fri, 24 Nov 2023 11:36:43 -0700 Subject: [PATCH] Added openssh-ldap to test libnss-pam-ldapd as an propagated-input to openssh --- Makefile | 2 +- system/base-system.scm | 238 +++++++++++++++++++++++++++++++++++------ 2 files changed, 206 insertions(+), 34 deletions(-) diff --git a/Makefile b/Makefile index b06b951..44bfc11 100644 --- a/Makefile +++ b/Makefile @@ -12,4 +12,4 @@ VM_CPU ?= 4 .PHONY: machines/% machines/%: machines/%.qcow2 $(eval OVMF := $(shell guix build ovmf)) - qemu-system-x86_64 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin + qemu-system-x86_64 -nic bridge,br=virbr0 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin diff --git a/system/base-system.scm b/system/base-system.scm index ec559c7..2dd6d2c 100644 --- a/system/base-system.scm +++ b/system/base-system.scm @@ -1,38 +1,52 @@ (define-module (system base-system) #:use-module (metznet) - #:use-module (gnu) - #:use-module (guix gexp) + #:use-module (ice-9 exceptions) + #:use-module (nongnu system linux-initrd) #:use-module (nongnu packages linux) - #:use-module (gnu packages linux) - #:use-module (gnu packages vim) + #:use-module (guix gexp) + #:use-module (guix packages) + #:use-module (guix download) + #:use-module (guix build-system gnu) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (gnu) + #:use-module (gnu system setuid) #:use-module (gnu system nss) - #:use-module (gnu packages certs) + #:use-module (gnu system pam) #:use-module (gnu services pm) #:use-module (gnu services authentication) #:use-module (gnu services vpn) - #:use-module (gnu packages vpn) #:use-module (gnu services networking) - #:use-module (gnu packages networking) #:use-module (gnu services ssh) + #:use-module (gnu services kerberos) + #:use-module (gnu services desktop) + #:use-module (gnu services xorg) + #:use-module (gnu services base) + #:use-module (gnu packages linux) + #:use-module (gnu packages compression) + #:use-module (gnu packages libedit) + #:use-module (gnu packages hurd) + #:use-module (gnu packages tls) + #:use-module (gnu packages xorg) + #:use-module (gnu packages pkg-config) + #:use-module (gnu packages groff) + #:use-module (gnu packages security-token) + #:use-module (gnu packages vim) + #:use-module (gnu packages certs) + #:use-module (gnu packages vpn) + #:use-module (gnu packages networking) #:use-module (gnu packages dns) #:use-module (gnu packages base) #:use-module (gnu packages openldap) - #:use-module (gnu services kerberos) #:use-module (gnu packages kerberos) #:use-module (gnu packages admin) #:use-module (gnu packages shells) - #:use-module (gnu services desktop) #:use-module (gnu packages gnome) #:use-module (gnu packages wm) - #:use-module (gnu services xorg) #:use-module (gnu packages suckless) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages terminals) #:use-module (gnu packages virtualization) #:use-module (gnu packages version-control) - #:use-module (nongnu system linux-initrd) - #:use-module (gnu system setuid) - #:use-module (ice-9 exceptions) #:export (%domain-realm) #:export (%domain-name) #:export (%domain-kadmin) @@ -52,6 +66,130 @@ #:export (%metznet-base-server-system) #:export (%metznet-base-desktop-system)) +(define openssh-ldap + (package + (name "openssh") + (version "9.3p1") + (source (origin + (method url-fetch) + (uri (string-append "mirror://openbsd/OpenSSH/portable/" + "openssh-" version ".tar.gz")) + (patches (search-patches "openssh-hurd.patch" + "openssh-trust-guix-store-directory.patch")) + (sha256 + (base32 + "1a7qia3c255igny5kf00m5zxkp69lf1w6qjsv3rm2sm705vvmfp9")))) + (build-system gnu-build-system) + (native-inputs (list groff pkg-config)) + (propagated-inputs (list nss-pam-ldapd)) + (inputs `(("libedit" ,libedit) + ("openssl" ,openssl) + ,@(if (hurd-target?) + '() + `(("pam" ,linux-pam) + ("libfido2" ,libfido2))) ;fails to build on GNU/Hurd + ("mit-krb5" ,mit-krb5) + ("zlib" ,zlib) + ("xauth" ,xauth))) ; for 'ssh -X' and 'ssh -Y' + (arguments + `(#:test-target "tests" + ;; Otherwise, the test scripts try to use a nonexistent directory and + ;; fail. + #:make-flags '("REGRESSTMP=\"$${BUILDDIR}/regress\"") + #:configure-flags `("--sysconfdir=/etc/ssh" + + ;; Default value of 'PATH' used by sshd. + "--with-default-path=/run/current-system/profile/bin" + + ;; configure needs to find krb5-config. + ,(string-append "--with-kerberos5=" + (assoc-ref %build-inputs "mit-krb5") + "/bin") + + ;; libedit is needed for sftp completion. + "--with-libedit" + + ;; Enable PAM support in sshd. + ,,@(if (hurd-target?) + '() + '("--with-pam" + + ;; Support creation and use of ecdsa-sk, + ;; ed25519-sk keys. + "--with-security-key-builtin")) + + + + ;; "make install" runs "install -s" by default, + ;; which doesn't work for cross-compiled binaries + ;; because it invokes 'strip' instead of + ;; 'TRIPLET-strip'. Work around this. + ,,@(if (%current-target-system) + '("--disable-strip") + '())) + + #:phases + (modify-phases %standard-phases + (add-after 'configure 'reset-/var/empty + (lambda* (#:key outputs #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + (substitute* "Makefile" + (("PRIVSEP_PATH=/var/empty") + (string-append "PRIVSEP_PATH=" out "/var/empty")))))) + (add-after 'configure 'set-store-location + (lambda* _ + (substitute* "misc.c" + (("@STORE_DIRECTORY@") + (string-append "\"" (%store-directory) "\""))))) + (add-before 'check 'patch-tests + (lambda _ + (substitute* "regress/test-exec.sh" + (("/bin/sh") (which "sh"))) + + ;; Remove 't-exec' regress target which requires user 'sshd'. + (substitute* (list "Makefile" + "regress/Makefile") + (("^(tests:.*) t-exec(.*)" all pre post) + (string-append pre post))))) + (replace 'install + (lambda* (#:key outputs (make-flags '()) #:allow-other-keys) + (let ((out (assoc-ref outputs "out"))) + ;; Install without host keys and system configuration files. + ;; This will install /var/empty to the store, which is needed + ;; by the system openssh-service-type. + (apply invoke "make" "install-nosysconf" make-flags) + (with-directory-excursion "contrib" + (chmod "ssh-copy-id" #o555) + (install-file "ssh-copy-id" + (string-append out "/bin/")) + (install-file "ssh-copy-id.1" + (string-append out "/share/man/man1/"))))))))) + (synopsis "Client and server for the secure shell (ssh) protocol") + (description + "The SSH2 protocol implemented in OpenSSH is standardised by the +IETF secsh working group and is specified in several RFCs and drafts. +It is composed of three layered components: + +The transport layer provides algorithm negotiation and a key exchange. +The key exchange includes server authentication and results in a +cryptographically secured connection: it provides integrity, confidentiality +and optional compression. + +The user authentication layer uses the established connection and relies on +the services provided by the transport layer. It provides several mechanisms +for user authentication. These include traditional password authentication +as well as public-key or host-based authentication mechanisms. + +The connection layer multiplexes many different concurrent channels over the +authenticated connection and allows tunneling of login sessions and +TCP-forwarding. It provides a flow control service for these channels. +Additionally, various channel-specific options can be negotiated.") + (license (license:non-copyleft "file://LICENSE" + "See LICENSE in the distribution.")) + (properties + '((release-monitoring-url . "https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/"))) + (home-page "https://www.openssh.com/"))) + (define %domain-realm "METZNET.CA") (define %domain-name "metznet.ca") @@ -78,7 +216,7 @@ (name "usb"))) %base-groups)) -(define %metznet-base-packages (append (list glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages)) +(define %metznet-base-packages (append (list openssh-ldap nss-pam-ldapd glibc openldap git neovim zsh le-certs nss-certs mit-krb5 openvpn openresolv) %base-packages)) (define %metznet-desktop-packages (append (list i3-wm i3status dmenu kitty icecat) %metznet-base-packages)) @@ -124,8 +262,8 @@ "RUN+=\"/bin/chgrp video /sys/class/backlight/intel_backlight/brightness\"")) (define %metznet-name-service-switch - (let ((services (list (name-service (name "files")) - (name-service (name "ldap"))))) + (let ((services (list (name-service (name "ldap")) + (name-service (name "files"))))) (name-service-switch (password services) (shadow services) @@ -134,18 +272,54 @@ ; 1) need to create user directory on login ; 2) need to have /bin/zsh available to use as shell +(define pam-ldap-module (file-append nss-pam-ldapd "/lib/security/pam_ldap.so")) + +(define (metznet-pam-service config) + (lambda (pam) + (if (member (pam-service-name pam) config) + (let ((sufficient + (pam-entry + (control "sufficient") + (module pam-ldap-module)))) + (pam-service + (inherit pam) + (password (cons sufficient (pam-service-account pam))))) + pam))) + +(define (metznet-pam-services config) + (list (metznet-pam-service config))) + +(define metznet-service-type + (service-type + (name 'metznet-service) + (description "MetzNet Services") + (extensions + (list (service-extension pam-root-service-type metznet-pam-services))) + (default-value '()))) + (define %metznet-nslcd-config (nslcd-configuration (base "dc=metznet,dc=ca") (log '("/var/log/nslcd" debug)) - (pam-services (list "su" "login" "password" "ssh" "passwd")) + (pam-services (list "su" "login" "sshd" "passwd")) + (filters (list '(group "(objectClass=posixGroupAux)"))) (binddn (or (getenv "LDAP_BINDDN") "")) (bindpw (or (getenv "LDAP_BINDPW") "")) (uri (list "ldap://ldap.metznet.ca")))) +(define %metznet-services + (list + (simple-service 'metznet-ln-service activation-service-type #~(symlink "/run/current-system/profile/bin/zsh" "/bin/zsh")) + (service openssh-service-type (openssh-configuration + (openssh openssh-ldap) + (log-level 'debug3) + (extra-content "KerberosAuthentication yes"))) + (service krb5-service-type %metznet-krb5-config) + (service pam-krb5-service-type (pam-krb5-configuration (pam-krb5 pam-krb5) (minimum-uid 1000))) + (service metznet-service-type (list "su" "login" "sshd" "passwd")) + (service nslcd-service-type %metznet-nslcd-config))) + (define %metznet-desktop-services - (append (list (service openssh-service-type) - (service krb5-service-type %metznet-krb5-config) - (service nslcd-service-type %metznet-nslcd-config)) + (append %metznet-services (modify-services %desktop-services (guix-service-type config => (guix-configuration (inherit config) @@ -171,18 +345,16 @@ (network-manager-configuration (inherit config) (vpn-plugins (list network-manager-openvpn))))))) -(define %metznet-server-services (append (list - (service openssh-service-type) - (service krb5-service-type %metznet-krb5-config) - (service nslcd-service-type %metznet-nslcd-config) - (service dhcp-client-service-type) - (openvpn-client-service - #:config (openvpn-client-configuration - (openvpn openvpn) - (pid-file "/var/run/openvpn/client.pid") - (persist-key? #f) - (tls-auth "/etc/openvpn/ta.key")))) - %base-services)) +(define %metznet-server-services (append (append %metznet-services + (list + (service dhcp-client-service-type) + (openvpn-client-service + #:config (openvpn-client-configuration + (openvpn openvpn) + (pid-file "/var/run/openvpn/client.pid") + (persist-key? #f) + (tls-auth "/etc/openvpn/ta.key")))) + %base-services))) (define %metznet-base-operating-system (operating-system @@ -218,7 +390,7 @@ (users %metznet-base-user-accounts) (groups %metznet-base-groups) (packages %metznet-base-packages) - (services %metznet-base-services))) + (services (append %metznet-services %base-services)))) (define %metznet-base-server-system (operating-system