On Mon, Jul 27, 2015 at 08:07:32PM -0600, Chris Murphy wrote:
>> Not the user, the GUI asks a service to do the editing COW
style -
>> write out a .new and once that succeeds, then rename current to old
>> and new to current.
> Yes, I assumed that. What if there is an existing configuration?
It would always use /etc/ssh/sshd_config whether it's the default
installed, or a user modified one. The GUI Remote Login toggle would
toggle both sshd.service stop/start/enable/disable states, and
AllowUsers list. So something has to be able to parse this file.
I guess the main complication is making sure that AllowUsers occurs
before any Match blocks. And avoiding any AllowGroups/DenyGroups
complication.
Oh! An alternative which avoids any file parsing or writing: add an
"ssh-access" or similar group, configure default sshd_config with
"AllowGroups ssh-access". (Could be a Workstation-only sshd_config.)
On another note, I see that _all_ of the other sharing options are
actually _per network_. Maybe the "remote login" option should be the
same?
Maybe PAM can be leveraged for this, since sshd_config defers to PAM
already for authentication. So sshd could just ask PAM rather than
modifying sshd_config directly.
Hmmm, maybe.
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader