Open TriMoon opened 10 months ago
This all sounds reasonable at first glance. What functions would pppd need to call to read the user and password values?
@paulusmack
It just needs to read the contents of files inside the $CREDENTIALS_DIRECTORY
directory.
See: https://systemd.io/CREDENTIALS/#programming-interface-from-service-code
[!NOTE]
$CREDENTIALS_DIRECTORY
is an environment variable provided for processes executed by the service.$CREDENTIALS_DIRECTORY
=%d
in unit files...
If you use the names i used in my examples those files would be:
${CREDENTIALS_DIRECTORY}/PPPoE-username
(The contents will already be the decrypted value to be used)${CREDENTIALS_DIRECTORY}/PPPoE-password
(The contents will already be the decrypted value to be used)But as said you're free to choose other names, or even let the user choose which names to use :wink:
It basically boils down to automatically read the contents of those files and use them "as-if" the user provided those options with their values.... That is what i am actually doing in these lines:
PPPoE-@.service.d/UseCredentials.conf
\"user\" \"$$(<%d/PPPoE-username)\" \\\n\ \"password\" \"$$(<%d/PPPoE-password)\" \\\n\
@paulusmack a followup from your side would be appreciated :wink:
@paulusmack: Have you seen latest @TriMoon comments?
@paulusmack: Have you seen latest @TriMoon comments?
@enaess, @jkroonza, @sthibaul, @yarda: What do you think?
Definitely not a 2.5.1 feature. I think it would be awesome to provide tighter integration with systemd in a few different ways, e.g. networking, dns and credentials. Won't have the time to look into this anytime soon.
There is already the +ua option, but it takes both username and password from the same file. If it really is necessary to have the username and password in separate files, it would be possible to add an option that provides a prefix to which \"username\" and \"password\" are appended to get the names of two files, from which to read the username and password. You could then do something like userpass-prefix %d/PPPoE-
or similar on the pppd command line. Would that suit?
To enhance the
systemd
integration (see #79 and https://github.com/systemd/systemd/issues/481) even more, i suggest to add an option to allow automatic reading of System and Service Credentials orSystemdCreds
as i like to name them.sd_creds
for example, the exact naming is up to you.When this option is used,
pppd
should automatically read and use:user
from the SystemdCreds, fe. from thePPPoE-username
credential. (the exact naming is up to you)password
from the SystemdCreds, fe. from thePPPoE-password
credential. (the exact naming is up to you)To illustrate the usage and workaround until this functionality is implemented
I'm currently using the below self-made scripts and configs in my System, which i post here for others to use till then: (Still a W.I.P. but it already works flawlessly)
Click the arrowed sections to expand and view (and be able to copy them)...
PPPoE@.target
```ini #PPPoE@.target.d/DefaultInstance.conf
```ini #PPPoE@.target.d/KernelCommandLine.conf
```ini #PPPoE@vlan35.target.d/TurkNet.conf
```ini #PPPoE-vlan35@.service
```ini #PPPoE-vlan35@.service.d/KernelCommandLine.conf
```ini #PPPoE-vlan35@TurkNet.service.d/Credentials.conf
```ini #PPPoE-@.service.d/UseCredentials.conf
```ini #<bin path>/createSystemdCreds-PPPoE
```bash #!/usr/bin/env bash # SPDX-License-Identifier: CC-BY-NC-SA-4.0 # # To use the creds you could use one of: # 1. # Environment=CRED_USERNAME=%d/PPPoE-username # Environment=CRED_PASSWORD=%d/PPPoE-password # cat $CRED_USERNAME # cat $CRED_PASSWORD # 2. # cat %d/PPPoE-username # cat %d/PPPoE-password # See: man systemd-creds # NOTE: The example in the man-page has a bug ! # it doesn't output the section header, so we need to ! # # $1 = username # $2 = password function genSystemdCred () { local -a opts local \ credName \ credVal # Output the header and section name at start printf "%s\n" \ "# PPPoE-Credentials for ${connection}@${interface}" \ "[Service]" # Output the creds lines for credName in username password; do case "${credName}" in username) credVal="$1" ;; password) credVal="$2" ;; *) ;; # No other posibilities. esac opts=( --pretty --name="PPPoE-${credName}" encrypt # Input = stdin - # Output = stdout - ) # shellcheck disable=2312 printf "%s" "${credVal}" \ | systemd-creds "${opts[@]}" \ | sed -E 's/\s{2,}/\t/g' # Convert multiple white-space by a single tab. done } function main () { local -a opts local \ username \ password \ connection \ interface \ dropInDir \ credName username="$1" password="$2" connection="$3" interface="$4" if test -z "${username}" \ -o -z "${password}" \ -o -z "${connection}" \ -o -z "${interface}" then printf "%s\n" \ "Missing arguments !" \ "Usage: ${0##*/}The last three are the
SystemdCreds
specific parts obviously :wink:PPPoE-vlan35@TurkNet.service.d/Credentials.conf
dir+file was auto-generated using thecreateSystemdCreds-PPPoE
script... :warning: It will NOT work for you as-is, so you need to generate your own !PPPoE-@.service.d/UseCredentials.conf
drop-in overrides theExecStart
of the main template to read a config file that is auto-generated to implement the automatic reading and usage of theSystemdCreds
. As you can see the is FAR from optimal because it uses a temporary file which can be eliminated if the functionality asked-for is implemented. (It is still relatively safe to use, because of the private tmp used in the hardening this file is only readable by ROOT...)PPPoE-@.service.d/DynNS-TearDown.conf
```ini #/etc/ppp/ip-pre-down
```bash #!/bin/sh # The environment is cleared before executing this script # so the path must be reset. PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin export PATH # These variables are for the use of the scripts run by run-parts PPP_IFACE="$1" export PPP_IFACE # If /var/log/ppp-ipupdown.log exists use it for logging. if [ -e /var/log/ppp-ipupdown.log ]; then exec >> /var/log/ppp-ipupdown.log 2>&1 echo "$0" "$@" echo fi # This script can be used to override the .d files supplied by other packages. if [ -x /etc/ppp/ip-pre-down.local ]; then exec /etc/ppp/ip-pre-down.local "$@" fi run-parts /etc/ppp/ip-pre-down.d \ --arg="$1" ```/etc/ppp/ipv6-pre-down
```bash #!/bin/sh # The environment is cleared before executing this script # so the path must be reset. PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin export PATH # These variables are for the use of the scripts run by run-parts PPP_IFACE="$1" export PPP_IFACE # If /var/log/ppp-ipupdown.log exists use it for logging. if [ -e /var/log/ppp-ipupdown.log ]; then exec >> /var/log/ppp-ipupdown.log 2>&1 echo "$0" "$@" echo fi # This script can be used to override the .d files supplied by other packages. if [ -x /etc/ppp/ipv6-pre-down.local ]; then exec /etc/ppp/ipv6-pre-down.local "$@" fi run-parts /etc/ppp/ipv6-pre-down.d \ --arg="$1" ```And i use these
systemd-networked
files for the connection configs: (My onboard Ethernet connection is renamed toutp
)21-pppoe-vlan35.netdev
```ini #21-pppoe-vlan35.network
```ini #30-pppoe-TurkNet.network
```ini #Update:
For easier testing etc of the posted files, i have created a public repo where they can be found. It will also function as a backup for my own setup :wink: https://gitlab.com/trimoon-inc/system/systemd-PPPoE