[sshd][assembly] Add CA-issued key support and single authorized key in config data
These allow the removal of sshd configs in vendored repos, by
using a single sshd config file that will work for all build-
types that have sshd enabled, relying on the presence of the
keys themselves to enable these features.
Also convert tabs to spaces to normalize usage within the file.
Bug: 127376
Change-Id: I2b1edbc5e06a7e0abb31e9b6edb134b505bc9c6c
Reviewed-on: https://fuchsia-review.googlesource.com/c/third_party/openssh-portable/+/860484
Reviewed-by: Mark Dittmer <markdittmer@google.com>
Commit-Queue: Auto-Submit <auto-submit@fuchsia-infra.iam.gserviceaccount.com>
Fuchsia-Auto-Submit: Aaron Wood <aaronwood@google.com>
diff --git a/fuchsia/sshd_config b/fuchsia/sshd_config
index d750808..9db9088 100644
--- a/fuchsia/sshd_config
+++ b/fuchsia/sshd_config
@@ -6,11 +6,19 @@
# /data - authorized_keys are typically read from here when running on hardware, copied into minfs
# during the paving process.
# /boot - authorized_keys should only present be in bootfs when running Fuchsia in an emulator.
-# authorized_keys_for_test_infra - This file is not expected to be present on any standard build,
-# only on builds produced for automated testing. See go/fuchsia-ssh-for-testing.
+# /config/data/authorized_keys - This file is not expected to be present on standard builds, only
+# on those that need to inject keys for special circumstances, such as when being tested
+# from automated infrastructure.
+# see go/fuchsia-ssh-for-testing for more informaton on that.
+# /config/data/authorized_keys_for_test_infra - This file is being transitioned away from.
#
# These are combined since the sshd will only use the first AuthorizedKeysFile line.
-AuthorizedKeysFile /data/ssh/authorized_keys /boot/data/ssh/authorized_keys /config/data/authorized_keys_for_test_infra
+AuthorizedKeysFile /data/ssh/authorized_keys /boot/data/ssh/authorized_keys /config/data/authorized_keys_for_test_infra /config/data/authorized_keys
+
+# Enable SSH using Certificate Authority-issued SSH credentials. These are not expected to be
+# present in most builds, and products will add keys to this location in config-data to enable this
+# feature.
+TrustedUserCAKeys /config/data/ssh_ca_pub_keys
# We disallow password authentication completely (it's unsupported irrespective of this
# configuration), so all auth is key-based. Bump the MaxAuthTries limit to accommodate users with
@@ -24,7 +32,7 @@
ClientAliveInterval 1
ClientAliveCountMax 10
-Subsystem sftp /pkg/bin/sftp-server
-Subsystem sl4f /pkg/bin/sl4f-server
+Subsystem sftp /pkg/bin/sftp-server
+Subsystem sl4f /pkg/bin/sl4f-server
AcceptEnv FFX_DAEMON_ABI_REVISION