From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Lepiller <julien@lepiller.eu>
Subject: bug#37309: [PATCH] services: openssh: Restrict to IPv4.
Date: Tue, 03 Dec 2019 22:53:11 +0100
Message-ID: <9AF0F57B-ED38-4A4F-9D34-B0A083DBBB3C@lepiller.eu>
References: <87ef0u2867.fsf@roquette.mug.biscuolo.net>
 <180aa2dee4e1da7fe915c85b90b1f60edd04f23d.1575403967.git.leo@famulari.name>
Mime-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:470:142:3::10]:40256)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1icG7V-00081o-CQ
 for bug-guix@gnu.org; Tue, 03 Dec 2019 16:54:13 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1icG7P-0008VG-Sn
 for bug-guix@gnu.org; Tue, 03 Dec 2019 16:54:06 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:35200)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1icG7P-0008Tt-MJ
 for bug-guix@gnu.org; Tue, 03 Dec 2019 16:54:03 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1icG7O-0007zV-J1
 for bug-guix@gnu.org; Tue, 03 Dec 2019 16:54:02 -0500
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.37309.B37309.157541001330661@debbugs.gnu.org>
In-Reply-To: <180aa2dee4e1da7fe915c85b90b1f60edd04f23d.1575403967.git.leo@famulari.name>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-guix>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
 <mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: 37309@debbugs.gnu.org, leo@famulari.name

Le 3 d=C3=A9cembre 2019 21:12:51 GMT+01:00, Leo Famulari <leo@famulari=2Ena=
me> a =C3=A9crit :
>This works around <https://issues=2Eguix=2Einfo/issue/30993>=2E
>
>* gnu/services/ssh=2Escm (<openssh-configuration>)[address-family]: New
>field=2E
>(openssh-config-file): Use it=2E
>* doc/guix=2Etexi: Document it=2E
>---
> doc/guix=2Etexi        | 10 ++++++++++
> gnu/services/ssh=2Escm | 16 +++++++++++++++-
> 2 files changed, 25 insertions(+), 1 deletion(-)
>
>diff --git a/doc/guix=2Etexi b/doc/guix=2Etexi
>index 39eb25385c=2E=2Ecf0e141baf 100644
>--- a/doc/guix=2Etexi
>+++ b/doc/guix=2Etexi
>@@ -13913,6 +13913,16 @@ This is a symbol specifying the logging level:
>@code{quiet}, @code{fatal},
>@code{error}, @code{info}, @code{verbose}, @code{debug}, etc=2E  See the
>man
> page for @file{sshd_config} for the full list of level names=2E
>=20
>+@item @code{address-family} (default: @code{'inet})
>+This is a symbol specifying which type of internet addresses should be
>+handled by @command{sshd}=2E  The options are @code{inet} (IPv4),
>+@code{inet6} (IPv6), or @code{any}, which selects both @code{inet} and
>+@code{inet6}=2E  The upstream default in @code{any}=2E  However, we
default *is*
>+currently default to @code{inet} due to a nondeterministic
>+@command{sshd} startup failure when using IPv6 on Guix=2E  See
>+@uref{https://issues=2Eguix=2Einfo/issue/30993, the bug report} for more
>+information on this temporary limitation=2E
>+
> @item @code{extra-content} (default: @code{""})
>This field can be used to append arbitrary text to the configuration
>file=2E  It
>is especially useful for elaborate configurations that cannot be
>expressed
>diff --git a/gnu/services/ssh=2Escm b/gnu/services/ssh=2Escm
>index d2dbb8f80d=2E=2E7e25810eff 100644
>--- a/gnu/services/ssh=2Escm
>+++ b/gnu/services/ssh=2Escm
>@@ -4,6 +4,7 @@
> ;;; Copyright =C2=A9 2016 Julien Lepiller <julien@lepiller=2Eeu>
> ;;; Copyright =C2=A9 2017 Cl=C3=A9ment Lassieur <clement@lassieur=2Eorg>
> ;;; Copyright =C2=A9 2019 Ricardo Wurmus <rekado@elephly=2Enet>
>+;;; Copyright =C2=A9 2019 Leo Famulari <leo@famulari=2Ename>
> ;;;
> ;;; This file is part of GNU Guix=2E
> ;;;
>@@ -340,7 +341,16 @@ The other options should be self-descriptive=2E"
>;; proposed in <https://bugs=2Egnu=2Eorg/27155>=2E  Keep it
>internal/undocumented
>   ;; for now=2E
>   (%auto-start?          openssh-auto-start?
>-                         (default #t)))
>+                         (default #t))
>+
>+  ;; Symbol
>+  ;; XXX: This shouldn't be required, but due to limitations with IPv6
>+  ;; on Guix, sshd often fails to start when it attempts to bind to
>both
>+  ;; 0=2E0=2E0=2E0 and ::, because the IPv6 interface is not ready in ti=
me=2E
>+  ;; Accepted options are inet (IPv4), inet6 (IPv6), or any (both)=2E
>+  ;; <https://issues=2Eguix=2Einfo/issue/30993>
>+  (address-family        openssh-configuration-address-family
>+                         (default 'inet)))
>=20
> (define %openssh-accounts
>   (list (user-group (name "sshd") (system? #t))
>@@ -468,6 +478,10 @@ of user-name/file-like tuples=2E"
>                       (symbol->string
>                        (openssh-configuration-log-level config))))
>=20
>+           (format port "AddressFamily ~a\n"
>+                   #$(symbol->string
>+                      (openssh-configuration-address-family config)))
>+
>            ;; Add '/etc/authorized_keys=2Ed/%u', which we populate=2E
>            (format port "AuthorizedKeysFile \
>=2Essh/authorized_keys =2Essh/authorized_keys2
>/etc/ssh/authorized_keys=2Ed/%u\n")