* bug#26696: openssh: root 'without-password & password-authentication #f both breaks service
@ 2017-04-28 14:52 Christopher Allan Webber
2017-04-28 19:29 ` Leo Famulari
2017-04-30 19:53 ` Chris Marusich
0 siblings, 2 replies; 3+ messages in thread
From: Christopher Allan Webber @ 2017-04-28 14:52 UTC (permalink / raw)
To: 26696
I wanted to permit root logins but only permit public key authentication
in my openssh configuration. This was my original assumption of how to
do it:
(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)
(password-authentication? #f)))
However, for whatever reason, openssh fails to start with this
combination. However, it turns out this is redundant, since the
configuration is already only permitting with public key authentication.
(service openssh-service-type
(openssh-configuration
(permit-root-login #t)
(password-authentication? #f)))
This route is sufficient.
However maybe we should prevent people from accidentally causing openssh
to not start. Here's a suggested route... though I haven't tested it:
#+BEGIN_SRC diff
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9917c311c..f1f2ab3dc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -342,7 +342,13 @@ The other options should be self-descriptive."
#$(match (openssh-configuration-permit-root-login config)
(#t "yes")
(#f "no")
- ('without-password "without-password")))
+ ('without-password
+ ;; If we've already disabled password-authentication, this
+ ;; is redundant, and even stops the openssh server from
+ ;; starting up
+ (if (openssh-configuration-password-authentication? config)
+ "without-password"
+ "yes"))))
(format port "PermitEmptyPasswords ~a\n"
#$(if (openssh-configuration-allow-empty-passwords? config)
"yes" "no"))
#+END_SRC
^ permalink raw reply related [flat|nested] 3+ messages in thread
* bug#26696: openssh: root 'without-password & password-authentication #f both breaks service
2017-04-28 14:52 bug#26696: openssh: root 'without-password & password-authentication #f both breaks service Christopher Allan Webber
@ 2017-04-28 19:29 ` Leo Famulari
2017-04-30 19:53 ` Chris Marusich
1 sibling, 0 replies; 3+ messages in thread
From: Leo Famulari @ 2017-04-28 19:29 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: 26696
[-- Attachment #1: Type: text/plain, Size: 737 bytes --]
On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote:
> I wanted to permit root logins but only permit public key authentication
> in my openssh configuration. This was my original assumption of how to
> do it:
>
> (service openssh-service-type
> (openssh-configuration
> (permit-root-login 'without-password)
> (password-authentication? #f)))
>
> However, for whatever reason, openssh fails to start with this
> combination. However, it turns out this is redundant, since the
> configuration is already only permitting with public key authentication.
Do you still have the generated sshd_config files handy, so we can
compare them and figure out what's broken?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* bug#26696: openssh: root 'without-password & password-authentication #f both breaks service
2017-04-28 14:52 bug#26696: openssh: root 'without-password & password-authentication #f both breaks service Christopher Allan Webber
2017-04-28 19:29 ` Leo Famulari
@ 2017-04-30 19:53 ` Chris Marusich
1 sibling, 0 replies; 3+ messages in thread
From: Chris Marusich @ 2017-04-30 19:53 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: 26696
[-- Attachment #1: Type: text/plain, Size: 1526 bytes --]
Christopher Allan Webber <cwebber@dustycloud.org> writes:
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -342,7 +342,13 @@ The other options should be self-descriptive."
> #$(match (openssh-configuration-permit-root-login config)
> (#t "yes")
> (#f "no")
> - ('without-password "without-password")))
> + ('without-password
> + ;; If we've already disabled password-authentication, this
> + ;; is redundant, and even stops the openssh server from
> + ;; starting up
> + (if (openssh-configuration-password-authentication? config)
> + "without-password"
> + "yes"))))
> (format port "PermitEmptyPasswords ~a\n"
> #$(if (openssh-configuration-allow-empty-passwords? config)
> "yes" "no"))
> #+END_SRC
>
Would it be better to fail with an error here? I'd be a little confused
and disturbed if I specified 'without-password expecting to get
"without-password" for the value of PermitRootLogin, but later found
that the OpenSSH daemon's config file contained the un-requested value
"yes", even if the end result happens to have the desired effect.
However, if this special case is clearly documented in the Guix manual,
then I'd be less off-put by it.
--
Chris
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-04-30 19:54 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-28 14:52 bug#26696: openssh: root 'without-password & password-authentication #f both breaks service Christopher Allan Webber
2017-04-28 19:29 ` Leo Famulari
2017-04-30 19:53 ` Chris Marusich
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).