Google Git
Sign in
fuchsia / third_party / openssh-portable / 4ba6a3ba188d78f19cd98664fc015f3132491f1c^! / .
commit4ba6a3ba188d78f19cd98664fc015f3132491f1c[log] [tgz]
authorAaron Wood <aaronwood@google.com>Tue May 23 17:48:52 2023 -0700
committerCQ Bot <fuchsia-internal-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri May 26 21:54:57 2023 +0000
tree2a447a6dc317b597e3cb33764d11dfd23b64efe2
parent598639de0691f28451cc62226aa553895bac7c4c [diff]
[sshd][assembly] Add CA-issued key support and single authorized key in config data

These allow the removal of sshd configs in vendored repos, by
using a single sshd config file that will work for all build-
types that have sshd enabled, relying on the presence of the
keys themselves to enable these features.

Also convert tabs to spaces to normalize usage within the file.

Bug: 127376
Change-Id: I2b1edbc5e06a7e0abb31e9b6edb134b505bc9c6c
Reviewed-on: https://fuchsia-review.googlesource.com/c/third_party/openssh-portable/+/860484
Reviewed-by: Mark Dittmer <markdittmer@google.com>
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
Fuchsia-Auto-Submit: Aaron Wood <aaronwood@google.com>

diff --git a/fuchsia/sshd_config b/fuchsia/sshd_config
index d750808..9db9088 100644
--- a/fuchsia/sshd_config
+++ b/fuchsia/sshd_config

@@ -6,11 +6,19 @@
 #   /data - authorized_keys are typically read from here when running on hardware, copied into minfs
 #           during the paving process.
 #   /boot - authorized_keys should only present be in bootfs when running Fuchsia in an emulator.
-#   authorized_keys_for_test_infra - This file is not expected to be present on any standard build,
-#           only on builds produced for automated testing. See go/fuchsia-ssh-for-testing.
+#   /config/data/authorized_keys - This file is not expected to be present on standard builds, only
+#           on those that need to inject keys for special circumstances, such as when being tested
+#           from automated infrastructure.
+#           see go/fuchsia-ssh-for-testing for more informaton on that.
+#   /config/data/authorized_keys_for_test_infra - This file is being transitioned away from.
 #
 # These are combined since the sshd will only use the first AuthorizedKeysFile line.
-AuthorizedKeysFile /data/ssh/authorized_keys /boot/data/ssh/authorized_keys /config/data/authorized_keys_for_test_infra
+AuthorizedKeysFile /data/ssh/authorized_keys /boot/data/ssh/authorized_keys /config/data/authorized_keys_for_test_infra /config/data/authorized_keys
+
+# Enable SSH using Certificate Authority-issued SSH credentials.  These are not expected to be
+# present in most builds, and products will add keys to this location in config-data to enable this
+# feature.
+TrustedUserCAKeys /config/data/ssh_ca_pub_keys
 
 # We disallow password authentication completely (it's unsupported irrespective of this
 # configuration), so all auth is key-based. Bump the MaxAuthTries limit to accommodate users with
@@ -24,7 +32,7 @@
 ClientAliveInterval 1
 ClientAliveCountMax 10
 
-Subsystem	sftp	/pkg/bin/sftp-server
-Subsystem	sl4f	/pkg/bin/sl4f-server
+Subsystem sftp /pkg/bin/sftp-server
+Subsystem sl4f /pkg/bin/sl4f-server
 
 AcceptEnv FFX_DAEMON_ABI_REVISION