Initial commit

meta-google/recipes-google/ssh/authorized-keys-comp.bb

@@ -0,0 +1,34 @@
+SUMMARY = "Compiles a set of authorized_keys files into a single file"
+PR = "r1"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+inherit systemd
+
+SRC_URI += " \
+  file://authorized-keys-comp.service \
+  file://authorized-keys-comp.sh \
+  "
+
+S = "${WORKDIR}"
+
+RDEPENDS:${PN} += "bash"
+
+SYSTEMD_SERVICE:${PN} += "authorized-keys-comp.service"
+
+FILES:${PN} += "/home"
+
+AUTHORIZED_KEYS_COMP_USERS ?= "root"
+
+do_install:append() {
+  install -d -m0755 ${D}${libexecdir}
+  install -m0755 authorized-keys-comp.sh ${D}${libexecdir}/
+
+  install -d -m0755 ${D}${systemd_system_unitdir}
+  install -m0644 authorized-keys-comp.service ${D}${systemd_system_unitdir}/
+
+  for user in ${AUTHORIZED_KEYS_COMP_USERS}; do
+    install -d -m0755 ${D}/home/$user/.ssh
+    ln -sv /run/authorized_keys/$user ${D}/home/$user/.ssh/authorized_keys
+  done
+}

meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.service

@@ -0,0 +1,6 @@
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/authorized-keys-comp.sh
+
+[Install]
+WantedBy=multi-user.target

meta-google/recipes-google/ssh/authorized-keys-comp/authorized-keys-comp.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+shopt -s nullglob
+
+# We want to iterate over all system users, check if they are opted-in to ssh
+# authorized_keys building, and then construct their keyfile
+while read -r user; do
+  home="$(eval echo "~$user")" || continue
+  link="$(readlink "$home"/.ssh/authorized_keys 2>/dev/null)" || continue
+  # Users are only opted-in if they symlink to our well-known directory where
+  # the final output of this script lives.
+  if [[ $link != "/run/authorized_keys/$user" ]]; then
+    echo "Ignoring $user $home/.ssh/authorized_keys" >&2
+    continue
+  fi
+
+  echo "Updating $link" >&2
+  declare -A basemap=()
+  declare -a dirs=(
+    "/usr/share/authorized_keys.d/$user"
+    "$home/.ssh/authorized_keys.d"
+    "/run/authorized_keys.d/$user"
+  )
+  # Build a map that can be used for sorting directories by their priority
+  # and prioritizing the last listed directories over the later ones. We
+  # append a counter to ensure that there is a stable sorting mechanism for
+  # duplicate filenames. Duplicate filenames will be overridden by higher
+  # priority directories.
+  # Ex.
+  #   /usr/share/authorized_keys.d/root/10-key
+  #   /usr/share/authorized_keys.d/root/15-key
+  #   /run/authorized_keys.d/root/10-key
+  #   /run/authorized_keys.d/root/20-key
+  #  Becomes
+  #   ["10-key"]="/run/authorized_keys.d/root/10-key"
+  #   ["15-key"]="/usr/share/authorized_keys.d/root/15-key"
+  #   ["20-key"]="/run/authorized_keys.d/root/20-key"
+  for dir in "${dirs[@]}"; do
+    for file in "$dir"/*; do
+      basemap["${file##*/}"]="$file"
+    done
+  done
+  rm -f /run/authorized_keys.tmp
+  touch /run/authorized_keys.tmp
+  for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do
+    echo "  Including ${basemap[$key]}" >&2
+    cat "${basemap[$key]}" >>/run/authorized_keys.tmp
+  done
+  mkdir -p /run/authorized_keys
+  mv /run/authorized_keys.tmp /run/authorized_keys/"$user"
+  chown "$user" /run/authorized_keys/"$user"
+done < <(cut -d':' -f1 /etc/passwd)

meta-google/recipes-google/ssh/gbmc-dev-ssh-key.bb

@@ -0,0 +1,15 @@
+SUMMARY = "Publicly exposed development SSH key"
+PR = "r1"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/files/common-licenses/Apache-2.0;md5=89aea4e17d99a7cacdbeed46a0096b10"
+
+SRC_URI += "file://gbmc-dev.pub"
+
+S = "${WORKDIR}"
+
+FILES:${PN} += " ${datadir}/authorized_keys.d"
+
+do_install() {
+  install -d ${D}${datadir}/authorized_keys.d/root
+  install -m 0755 ${S}/gbmc-dev.pub ${D}${datadir}/authorized_keys.d/root/50-gbmc-dev
+}

meta-google/recipes-google/ssh/gbmc-dev-ssh-key/gbmc-dev.priv

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAC+PxTCx2WyYG5iaq+GO0RArtziSb4kH/uzMZKyh5LKgAAAJAQPe9NED3v
+TQAAAAtzc2gtZWQyNTUxOQAAACAC+PxTCx2WyYG5iaq+GO0RArtziSb4kH/uzMZKyh5LKg
+AAAECx890MYHciMhMENgtQURn4zw10U3v5jAMymfFI9FaqwAL4/FMLHZbJgbmJqr4Y7REC
+u3OJJviQf+7MxkrKHksqAAAACGdibWMtZGV2AQIDBAU=
+-----END OPENSSH PRIVATE KEY-----

meta-google/recipes-google/ssh/gbmc-dev-ssh-key/gbmc-dev.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAL4/FMLHZbJgbmJqr4Y7RECu3OJJviQf+7MxkrKHksq gbmc-dev