userdbctl: enable ssh-authorized-keys logic by default

sshd now supports config file drop-ins, hence let's install one to hook
up "userdb ssh-authorized-keys", so that things just work.

We put the drop-in relatively early, so that other drop-ins generally
will override this.

Ideally sshd would support such drop-ins in /usr/ rather than /etc/, but
let's take what we can get. It's not that sshd's upstream was
particularly open to weird ideas from Linux people.

2 files changed, 19 insertions, 0 deletions

diff --git a/src/userdb/20-systemd-userdb.conf.in b/src/userdb/20-systemd-userdb.conf.in
new file mode 100644
index 0000000000..031fc3a4b8
--- /dev/null
+++ b/src/userdb/20-systemd-userdb.conf.in
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+# Make sure SSH authorized keys recorded in user records can be consumed by SSH
+#
+AuthorizedKeysCommand {{BINDIR}}/userdbctl ssh-authorized-keys %u
+AuthorizedKeysCommandUser root
diff --git a/src/userdb/meson.build b/src/userdb/meson.build
index 2d701c8ba7..260dbab2c8 100644
--- a/src/userdb/meson.build
+++ b/src/userdb/meson.build
@@ -23,3 +23,16 @@ executables += [
                 'dependencies' : threads,
         },
 ]
+
+custom_target(
+        '20-systemd-userdb.conf',
+        input : '20-systemd-userdb.conf.in',
+        output : '20-systemd-userdb.conf',
+        command : [jinja2_cmdline, '@INPUT@', '@OUTPUT@'],
+        install : conf.get('ENABLE_USERDB') == 1 and sshdconfdir != 'no',
+        install_dir : libexecdir / 'sshd_config.d')
+
+install_emptydir(sshdconfdir)
+
+meson.add_install_script(sh, '-c',
+        ln_s.format(libexecdir / 'sshd_config.d' / '20-systemd-userdb.conf', sshdconfdir / '20-systemd-userdb.conf'))