* bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login
@ 2023-04-19 16:28 Janneke Nieuwenhuizen
[not found] ` <handler.62948.B.16819217174025.ack@debbugs.gnu.org>
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Janneke Nieuwenhuizen @ 2023-04-19 16:28 UTC (permalink / raw)
To: 62948
[-- Attachment #1: Type: text/plain, Size: 1483 bytes --]
Hi,
Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
key-based login. I cannot access the logs and don't know what the
problem might be.
When, after running `guix home reconfigure', you do something like:
--8<---------------cut here---------------start------------->8---
mv .ssh/authorized_keys .ssh/authorized_keys-
cat .ssh/authorized_keys- > .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
--8<---------------cut here---------------end--------------->8---
key-based login succeeds.
A workaround would be to have home-openssh-service-type leave
~/.ssh/authorized_keys alone. However, when using
--8<---------------cut here---------------start------------->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys '())))
--8<---------------cut here---------------end--------------->8---
any existing ~/.ssh/authorized_keys file is removed and replaced by a
symlink to an empty file. I don't see how that is useful, it certainly
breaks key-based login.
Using
--8<---------------cut here---------------start------------->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys #f)))
--8<---------------cut here---------------end--------------->8---
yields a backtrace.
The attached patch fixes that and allows using (authorized-keys #f),
also making this the default.
WDYT?
Greetings,
Janneke
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: 0001-home-services-ssh-Support-leaving-.ssh-authorized_ke.patch --]
[-- Type: text/x-patch, Size: 3997 bytes --]
From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001
From: Janneke Nieuwenhuizen <janneke@gnu.org>
Date: Wed, 19 Apr 2023 16:42:50 +0200
Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys
alone.
The default was to remove any ~/.ssh/authorized_keys file and replace it with
a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix
home generated ~/.ssh/authorized_keys file does not allow login.
* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
---
doc/guix.texi | 8 +++++---
gnu/home/services/ssh.scm | 22 ++++++++++++----------
2 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..3736d24ff1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time.
Preparing this list can be relatively tedious though, which is why
@code{*unspecified*} is kept as a default.
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
Concretely, these files are concatenated and made available as
@file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..317808f616 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -186,7 +186,7 @@ (define-record-type* <home-openssh-configuration>
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
(authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
- (default '()))
+ (default #f))
(known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
(default *unspecified*))
(hosts home-openssh-configuration-hosts ;list of <openssh-host>
@@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " "))
'#$files)))))))
(define (openssh-configuration-files config)
- (let ((config (plain-file "ssh.conf"
- (openssh-configuration->string config)))
- (known-hosts (home-openssh-configuration-known-hosts config))
- (authorized-keys (file-join
- "authorized_keys"
- (home-openssh-configuration-authorized-keys config)
- "\n")))
- `((".ssh/authorized_keys" ,authorized-keys)
+ (let* ((ssh-config (plain-file "ssh.conf"
+ (openssh-configuration->string config)))
+ (known-hosts (home-openssh-configuration-known-hosts config))
+ (authorized-keys (home-openssh-configuration-authorized-keys config))
+ (authorized-keys (and
+ authorized-keys
+ (file-join "authorized_keys" authorized-keys "\n"))))
+ `(,@(if authorized-keys
+ `((".ssh/authorized_keys" ,authorized-keys))
+ '())
,@(if (unspecified? known-hosts)
'()
`((".ssh/known_hosts"
,(file-join "known_hosts" known-hosts "\n"))))
- (".ssh/config" ,config))))
+ (".ssh/config" ,ssh-config))))
(define openssh-activation
(with-imported-modules (source-module-closure
--
2.39.2
[-- Attachment #3: Type: text/plain, Size: 164 bytes --]
--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com
^ permalink raw reply related [flat|nested] 6+ messages in thread
* bug#62948: etc/teams.scm cc home
[not found] ` <handler.62948.B.16819217174025.ack@debbugs.gnu.org>
@ 2023-04-23 7:58 ` Janneke Nieuwenhuizen
0 siblings, 0 replies; 6+ messages in thread
From: Janneke Nieuwenhuizen @ 2023-04-23 7:58 UTC (permalink / raw)
To: 62948; +Cc: ludo
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#62948: etc/team.scm cc home #2
2023-04-19 16:28 bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
[not found] ` <handler.62948.B.16819217174025.ack@debbugs.gnu.org>
@ 2023-04-25 9:12 ` Janneke Nieuwenhuizen
2023-04-25 9:12 ` bug#62948: etc/team.scm cc home #3 Janneke Nieuwenhuizen
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Janneke Nieuwenhuizen @ 2023-04-25 9:12 UTC (permalink / raw)
To: 62948; +Cc: paren
Seems only one X-Debbugs-Cc header is honoured at a time, forgot them
initiially...
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#62948: etc/team.scm cc home #3
2023-04-19 16:28 bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
[not found] ` <handler.62948.B.16819217174025.ack@debbugs.gnu.org>
2023-04-25 9:12 ` bug#62948: etc/team.scm cc home #2 Janneke Nieuwenhuizen
@ 2023-04-25 9:12 ` Janneke Nieuwenhuizen
2023-05-24 10:00 ` bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
2023-06-15 2:51 ` Andrew Tropin
4 siblings, 0 replies; 6+ messages in thread
From: Janneke Nieuwenhuizen @ 2023-04-25 9:12 UTC (permalink / raw)
To: 62948; +Cc: andrew
Seems only one X-Debbugs-Cc header is honoured at a time, forgot them
initiially...
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login
2023-04-19 16:28 bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
` (2 preceding siblings ...)
2023-04-25 9:12 ` bug#62948: etc/team.scm cc home #3 Janneke Nieuwenhuizen
@ 2023-05-24 10:00 ` Janneke Nieuwenhuizen
2023-06-15 2:51 ` Andrew Tropin
4 siblings, 0 replies; 6+ messages in thread
From: Janneke Nieuwenhuizen @ 2023-05-24 10:00 UTC (permalink / raw)
To: 62948-done
Janneke Nieuwenhuizen writes:
> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login. I cannot access the logs and don't know what the
> problem might be.
Pushed to master as c57693846c7c6586c6cd1b4e4002fe399e3a2c42
--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login
2023-04-19 16:28 bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
` (3 preceding siblings ...)
2023-05-24 10:00 ` bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
@ 2023-06-15 2:51 ` Andrew Tropin
4 siblings, 0 replies; 6+ messages in thread
From: Andrew Tropin @ 2023-06-15 2:51 UTC (permalink / raw)
To: Janneke Nieuwenhuizen, 62948
[-- Attachment #1: Type: text/plain, Size: 1705 bytes --]
On 2023-04-19 18:28, Janneke Nieuwenhuizen wrote:
> Hi,
>
> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login. I cannot access the logs and don't know what the
> problem might be.
>
> When, after running `guix home reconfigure', you do something like:
>
> --8<---------------cut here---------------start------------->8---
> mv .ssh/authorized_keys .ssh/authorized_keys-
> cat .ssh/authorized_keys- > .ssh/authorized_keys
> chmod 400 .ssh/authorized_keys
> --8<---------------cut here---------------end--------------->8---
>
> key-based login succeeds.
>
> A workaround would be to have home-openssh-service-type leave
> ~/.ssh/authorized_keys alone. However, when using
>
> --8<---------------cut here---------------start------------->8---
> (service
> home-openssh-service-type
> (home-openssh-configuration
> (authorized-keys '())))
> --8<---------------cut here---------------end--------------->8---
>
> any existing ~/.ssh/authorized_keys file is removed and replaced by a
> symlink to an empty file. I don't see how that is useful, it certainly
> breaks key-based login.
>
> Using
>
> --8<---------------cut here---------------start------------->8---
> (service
> home-openssh-service-type
> (home-openssh-configuration
> (authorized-keys #f)))
> --8<---------------cut here---------------end--------------->8---
>
> yields a backtrace.
>
> The attached patch fixes that and allows using (authorized-keys #f),
> also making this the default.
>
> WDYT?
It make perfect sense.
--
Best regards,
Andrew Tropin
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-15 2:53 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-04-19 16:28 bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
[not found] ` <handler.62948.B.16819217174025.ack@debbugs.gnu.org>
2023-04-23 7:58 ` bug#62948: etc/teams.scm cc home Janneke Nieuwenhuizen
2023-04-25 9:12 ` bug#62948: etc/team.scm cc home #2 Janneke Nieuwenhuizen
2023-04-25 9:12 ` bug#62948: etc/team.scm cc home #3 Janneke Nieuwenhuizen
2023-05-24 10:00 ` bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Janneke Nieuwenhuizen
2023-06-15 2:51 ` Andrew Tropin
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).