From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: bug#26695: openssh password-authentication? should be #f by default Date: Sun, 30 Apr 2017 12:47:22 -0700 Message-ID: <87ziexfzjp.fsf@gmail.com> References: <87k264tx8m.fsf@dustycloud.org> <01F8858C-D359-42CA-96A6-45F6C4A3B80C@gmail.com> <87h9184heg.fsf@dustycloud.org> <87efwcbg49.fsf@fastmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58102) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d4upC-0005Hc-N0 for bug-guix@gnu.org; Sun, 30 Apr 2017 15:48:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d4up8-0004Rj-R9 for bug-guix@gnu.org; Sun, 30 Apr 2017 15:48:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:49883) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d4up8-0004RX-MX for bug-guix@gnu.org; Sun, 30 Apr 2017 15:48:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d4up8-0001IM-1H for bug-guix@gnu.org; Sun, 30 Apr 2017 15:48:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87efwcbg49.fsf@fastmail.com> (Marius Bakke's message of "Fri, 28 Apr 2017 19:23:50 +0200") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Marius Bakke Cc: 26695@debbugs.gnu.org, Maxim Cournoyer --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Marius Bakke writes: > Christopher Allan Webber writes: > >> Maxim Cournoyer writes: >> >>> +1. Although it means the keys will have to be copied by another mean >>> than the "ssh-copy-id" script. Maybe the configuration could accept >>> the public key? :) I haven't checked if this is already possible. >> >> We have discussed in the past having some service that just copies some >> static files on init. That would be enough to set up public keys >> appropriately. > > I think that can already be done with 'special-file-service-type'. > > https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html Will OpenSSH know where to look, in that case? I think a little more work would be needed to tell OpenSSH where to look. For example, you would have to customize the value of AuthorizedKeysFile in the OpenSSH daemon's config file (see 'man opensshd_config' for details). In any case, it would be better if we could hide all of that in the abstraction we have for the OpenSSH service. For instance, it would be nice if we could just specify the public keys in the operating system configuration file, as part of the record type. > Another approach could be a small program that reads a configuration > file and can also pull from e.g. the ec2 metadata service which should > work with many "cloud" providers. Similar to "cloud-init" but Guile of > course :) This topic has come up before. Cloud-init (specifically, the idea of pulling SSH credentials in at first boot via the EC2 metadata service) is a useful hack for systems that cannot be declaratively defined, but for GuixSD it should not be needed. See here for details: https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00214.html https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00757.html https://lists.gnu.org/archive/html/help-guix/2016-11/msg00075.html Somebody just needs to implement the changes to our OpenSSH service abstraction so that we can declare the public keys in the operating system configuration file. Of course, to deploy onto EC2 without manual intervention would also require more changes, but that's a separate issue from the issue of how to get credentials onto the host. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGP0oACgkQ3UCaFdgi Rp2esA/9EynXEf+d1ZILmFHnCLqhQxDV0tt8bk77NvfzSfIIDSJUFK67VrlvK0Ao nQiJefk0oiS7/2amCr88tiwuz2n7F2Fq5quW+cd8qbrvQzV/A4+bkB/08lj+zuSB XYzq3/6Gu27EEnEyrNlMjmGrgokBCxfjgiOPHQQnwa7jALjTE7S9sxQJkxeVPfE3 2uinXUGuRXWjjEdzaUA7K8QhfXWTft3A4W+XavtXYkeYksvJVTnwarE8GBwqucw0 Lqf2jMzs4KQGHQ7zkdbyjy4Sww0rBe6C+2oZMWOVKBAsp/dltacbNEK3IABKdl9b CLKpSUjKMhzzyojJsKlCLqbGGpmarWWcnMUUlC541zwYpcEYxiuD4IEYMRdzFgzB GyWZHT1oN9mvMN9Lm43kUlTXMxeSOLMew4DZQCVUS7whW1G4my6k80kEqj8si6SU 9bo+qVQWvdjsoG2am8oelG2CrTUlCipuPvVa4SXHheKk1Vtrncq/KYLuicShA2Qs EP6AWRrV03LJnzyGo3XB3s9n16NyqhX3jSF9pWfMCUjnpwNMGUjq9Fw5OXawo9Vv NjFxh1FvcYHhHOE6r8z4ojb+hHkopt1C7MPZC1Vwnzz+LG3Gv3rDaJSkPguaY+21 tNC1bNxy7wTFpDyKWigEHJGd1xcJu8nLUTC3bmw7JodypZ8VXbE= =oGFT -----END PGP SIGNATURE----- --=-=-=--