Cryptography
SSH keys
This charm allows to setup unprivileged access to a Juju unit via the public SSH keys for each local user, which can be specified in two ways in the users charm config option:
- Plaintext public SSH key
- A Launchpad username prepended with
lp:
The charm uses the ssh-import-id CLI for the second option to retrieve the keys. The CLI uses SSL/TLS to connect to Launchpad, validating the connection’s certificate and matching the hostname through the Requests library. Retrieved keys are in the same format as an ~/.ssh/authorized_keys file.
After the keys are parsed/retrieved, the charm writes the SSH public keys to the file path specified by the ssh_authorized_keys charm config option. The file is created with different permissions and ownerships depending on whether the file is located under the user’s home directory or not:
- If the file is created under the new user’s home directory, the parent directory is set to
0o700, and ownership is given exclusively to the created user. The file’s permissions are set to0o600with the same ownership - If the file should be placed anywhere else, the
0o644permission mode is given