Added public key authentication from ldap

2023-12-04 13:03:23 -07:00 · 2023-12-04 13:03:23 -07:00 · da44d9c068
parent 73cb2895b5
commit da44d9c068
2 changed files with 55 additions and 5 deletions
--- a/6
+++ b/6
@ -13,9 +13,9 @@ VM_CPU ?= 4

 %: %.qcow2
 	$(eval OVMF := $(shell guix build $(GUIX_SUBSTITUTE_FLAG) ovmf))
-	qemu-system-x86_64 -nic user,model=virtio-net-pci -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin
+	qemu-system-x86_64 -nic bridge,br=virbr0 -enable-kvm -hda $< -m $(VM_RAM) -smp $(VM_CPU) -bios $(OVMF)/share/firmware/ovmf_x64.bin

 .PHONY: %
 %-ro: %.scm
-	$(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $< --expose=$(PWD)/pki=/var/lib/openvpn))
-	$(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic user,model=virtio-net-pci
+	$(eval VM_SCRIPT := $(shell guix system $(GUIX_LIB_FLAGS) $(GUIX_SUBSTITUTE_FLAG) vm $<))
+	$(VM_SCRIPT) -m $(VM_RAM) -smp $(VM_CPU) -nic bridge,br=virbr0
--- a/metznet/system/base-system.scm
+++ b/metznet/system/base-system.scm
@ -1,6 +1,8 @@
 (define-module (metznet system base-system)
  #:use-module (guix gexp)

+  #:use-module (metznet golang)
+
  #:use-module (gnu bootloader)
  #:use-module (gnu bootloader grub)
  #:use-module (gnu system accounts)
@ -251,11 +253,59 @@
                                                                            "LDAP_AUTHTOK")
                                                                        %unset-value))))))))

+
+(define pubkey-command
+  (program-file "pubkey-command"
+                (with-imported-modules '((guix build utils))
+                                       #~(begin
+                                           (use-modules (guix build utils) (ice-9 format)  (ice-9 popen) (ice-9 textual-ports))
+                                           (define* (shell-command-to-string
+                                                     cmd)
+                                             (catch 'shell-command-error
+                                                    (lambda ()
+                                                      (let* ((port (open-pipe
+                                                                    cmd
+                                                                    OPEN_READ))
+                                                             (str (get-string-all
+                                                                   port))
+                                                             (wtpd (close-pipe
+                                                                    port))
+                                                             (xval (status:exit-val
+                                                                    wtpd)))
+                                                        (if (or (eqv? xval #f)
+                                                                (> xval 0))
+                                                            (throw 'shell-command-error
+                                                                   cmd str))
+                                                        str))
+                                                    (lambda (key cmd str)
+                                                      (simple-format #t
+                                                       "ERROR: in command ~a\nstring: ~a\n"
+                                                       cmd str)
+                                                      (throw 'error-in-shell-command-to-string
+                                                             cmd str))))
+
+                                           (display (shell-command-to-string (string-join
+                                                                     (list #$(file-append
+                                                                              metznet-pubkey
+                                                                              "/bin/pubkey")
+                                                                      "ldaps://ldap.metznet.ca"
+                                                                      "uid=guix,ou=system,ou=accounts,dc=metznet,dc=ca"
+                                                                      #$(or (getenv "LDAP_AUTHTOK") "")
+                                                                      "dc=metznet,dc=ca"
+                                                                      (list-ref (command-line) 1))
+                                                                     " ")))))))
+
 (define %metznet-services
  (list (service openssh-service-type
                 (openssh-configuration (password-authentication? #f)
-                                        (extra-content
-                                         "KerberosAuthentication yes")))
+                                                  (extra-content #~(string-join
+                                                                    (list
+                                                                     "AuthorizedKeysCommandUser root"
+                                                                     (string-append
+                                                                      "AuthorizedKeysCommand "
+                                                                      #$pubkey-command)
+                                                                     "KerberosAuthentication yes")
+                                                                    "\n"))))
        (service krb5-service-type %metznet-krb5-config)
        (service pam-krb5-service-type
                 (pam-krb5-configuration (pam-krb5 pam-krb5)