From: Julien Lepiller <julien@lepiller.eu>
To: 37309@debbugs.gnu.org, leo@famulari.name
Subject: bug#37309: [PATCH] services: openssh: Restrict to IPv4.
Date: Tue, 03 Dec 2019 22:53:11 +0100 [thread overview]
Message-ID: <9AF0F57B-ED38-4A4F-9D34-B0A083DBBB3C@lepiller.eu> (raw)
In-Reply-To: <180aa2dee4e1da7fe915c85b90b1f60edd04f23d.1575403967.git.leo@famulari.name>
Le 3 décembre 2019 21:12:51 GMT+01:00, Leo Famulari <leo@famulari.name> a écrit :
>This works around <https://issues.guix.info/issue/30993>.
>
>* gnu/services/ssh.scm (<openssh-configuration>)[address-family]: New
>field.
>(openssh-config-file): Use it.
>* doc/guix.texi: Document it.
>---
> doc/guix.texi | 10 ++++++++++
> gnu/services/ssh.scm | 16 +++++++++++++++-
> 2 files changed, 25 insertions(+), 1 deletion(-)
>
>diff --git a/doc/guix.texi b/doc/guix.texi
>index 39eb25385c..cf0e141baf 100644
>--- a/doc/guix.texi
>+++ b/doc/guix.texi
>@@ -13913,6 +13913,16 @@ This is a symbol specifying the logging level:
>@code{quiet}, @code{fatal},
>@code{error}, @code{info}, @code{verbose}, @code{debug}, etc. See the
>man
> page for @file{sshd_config} for the full list of level names.
>
>+@item @code{address-family} (default: @code{'inet})
>+This is a symbol specifying which type of internet addresses should be
>+handled by @command{sshd}. The options are @code{inet} (IPv4),
>+@code{inet6} (IPv6), or @code{any}, which selects both @code{inet} and
>+@code{inet6}. The upstream default in @code{any}. However, we
default *is*
>+currently default to @code{inet} due to a nondeterministic
>+@command{sshd} startup failure when using IPv6 on Guix. See
>+@uref{https://issues.guix.info/issue/30993, the bug report} for more
>+information on this temporary limitation.
>+
> @item @code{extra-content} (default: @code{""})
>This field can be used to append arbitrary text to the configuration
>file. It
>is especially useful for elaborate configurations that cannot be
>expressed
>diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
>index d2dbb8f80d..7e25810eff 100644
>--- a/gnu/services/ssh.scm
>+++ b/gnu/services/ssh.scm
>@@ -4,6 +4,7 @@
> ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
> ;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
>+;;; Copyright © 2019 Leo Famulari <leo@famulari.name>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
>@@ -340,7 +341,16 @@ The other options should be self-descriptive."
>;; proposed in <https://bugs.gnu.org/27155>. Keep it
>internal/undocumented
> ;; for now.
> (%auto-start? openssh-auto-start?
>- (default #t)))
>+ (default #t))
>+
>+ ;; Symbol
>+ ;; XXX: This shouldn't be required, but due to limitations with IPv6
>+ ;; on Guix, sshd often fails to start when it attempts to bind to
>both
>+ ;; 0.0.0.0 and ::, because the IPv6 interface is not ready in time.
>+ ;; Accepted options are inet (IPv4), inet6 (IPv6), or any (both).
>+ ;; <https://issues.guix.info/issue/30993>
>+ (address-family openssh-configuration-address-family
>+ (default 'inet)))
>
> (define %openssh-accounts
> (list (user-group (name "sshd") (system? #t))
>@@ -468,6 +478,10 @@ of user-name/file-like tuples."
> (symbol->string
> (openssh-configuration-log-level config))))
>
>+ (format port "AddressFamily ~a\n"
>+ #$(symbol->string
>+ (openssh-configuration-address-family config)))
>+
> ;; Add '/etc/authorized_keys.d/%u', which we populate.
> (format port "AuthorizedKeysFile \
>.ssh/authorized_keys .ssh/authorized_keys2
>/etc/ssh/authorized_keys.d/%u\n")
next prev parent reply other threads:[~2019-12-03 21:54 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87k1da6fdb.fsf@roquette.mug.biscuolo.net>
[not found] ` <87y315t3hw.fsf@roquette.mug.biscuolo.net>
[not found] ` <87tvbhra2v.fsf@roquette.mug.biscuolo.net>
[not found] ` <87imrvhhpy.fsf@cbaines.net>
[not found] ` <874l3crjqr.fsf@roquette.mug.biscuolo.net>
[not found] ` <87k1c6p914.fsf@roquette.mug.biscuolo.net>
[not found] ` <20190817152031.GA3191@jurong>
[not found] ` <87pnkuyac0.fsf_-_@gnu.org>
[not found] ` <20190828181141.GA27765@jurong>
2019-09-05 13:18 ` bug#37309: ‘ssh-daemon’ service fails to start at boot Giovanni Biscuolo
2019-09-08 4:19 ` 宋文武
2019-11-26 18:34 ` Jelle Licht
2019-11-29 8:40 ` Giovanni Biscuolo
2019-11-29 9:51 ` Jelle Licht
2019-12-03 20:12 ` bug#37309: [PATCH] services: openssh: Restrict to IPv4 Leo Famulari
2019-12-03 21:53 ` Julien Lepiller [this message]
2019-12-04 13:41 ` Leo Famulari
2019-12-10 16:47 ` Ludovic Courtès
2020-11-27 23:00 ` bug#37309: ‘ssh-daemon’ service fails to start at boot Christopher Lemmer Webber
2020-11-28 1:08 ` Marius Bakke
2020-12-03 20:38 ` Leo Famulari
2020-12-03 21:56 ` Christopher Lemmer Webber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9AF0F57B-ED38-4A4F-9D34-B0A083DBBB3C@lepiller.eu \
--to=julien@lepiller.eu \
--cc=37309@debbugs.gnu.org \
--cc=leo@famulari.name \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).