* [PATCH] openssh service @ 2016-08-05 12:18 Julien Lepiller 2016-08-05 13:47 ` Andy Wingo 0 siblings, 1 reply; 12+ messages in thread From: Julien Lepiller @ 2016-08-05 12:18 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 93 bytes --] Hello, here is a patch that adds a service definition for openssh. Regards, Julien Lepiller [-- Attachment #2: 0001-services-Add-openssh.patch --] [-- Type: text/x-patch, Size: 7937 bytes --] From 592ab25424b2685238e31a3e2473e31a45bea4e5 Mon Sep 17 00:00:00 2001 From: Julien Lepiller <julien@lepiller.eu> Date: Fri, 5 Aug 2016 15:20:15 +0200 Subject: [PATCH] services: Add openssh * gnu/packages/ssh.scm: Openssh reads its configuration from /etc * gnu/services/ssh.scm: Add openssh-service --- gnu/packages/ssh.scm | 3 +- gnu/services/ssh.scm | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 146 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index bca4433..eec6673 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.") ("zlib" ,zlib) ("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y' (arguments - `(#:test-target "tests" + `(#:configure-flags `("--sysconfdir=/etc/ssh") + #:test-target "tests" #:phases (modify-phases %standard-phases (add-after 'configure 'reset-/var/empty diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9a7ea0f..8372cbf 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -19,9 +19,11 @@ (define-module (gnu services ssh) #:use-module (gnu packages ssh) + #:use-module (gnu packages admin) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix records) #:use-module (srfi srfi-26) @@ -30,6 +32,11 @@ lsh-service lsh-service-type + openssh-configuration + openssh-configuration? + openssh-service-type + openssh-service + dropbear-configuration dropbear-configuration? dropbear-service-type @@ -244,7 +251,143 @@ The other options should be self-descriptive." public-key-authentication?) (initialize? initialize?)))) -\f +;;; +;;; OpenSSH. +;;; + +(define-record-type* <openssh-configuration> + openssh-configuration make-openssh-configuration + openssh-configuration? + (pidfile openssh-configuration-pidfile + (default "/var/run/sshd.pid")) + (port-number openssh-configuration-port-number + (default 22)) + (root-login openssh-configuration-root-login + (default "without-password")) + (allow-empty-passwords? openssh-configuration-allow-empty-passwords? + (default #f)) + (password-authentication? openssh-configuration-password-authentication? + (default #t)) + (pubkey-authentication? openssh-configuration-pubkey-authentication? + (default #t)) + (rsa-authentication? openssh-configuration-rsa-authentication? + (default #t)) + (x11-forwarding? openssh-configuration-x11-forwarding? + (default #f)) + (protocol-number openssh-configuration-protocol-number + (default "2"))) + +(define %openssh-accounts + (list (user-group (name "sshd") (system? #t)) + (user-account + (name "sshd") + (group "sshd") + (system? #t) + (comment "sshd privilege separation user") + (home-directory "/var/run/sshd") + (shell #~(string-append #$shadow "/sbin/nologin"))))) + +(define (openssh-activation config) + "Return the activation GEXP for CONFIG." + #~(begin + (mkdir-p "/etc/ssh") + (mkdir-p (basename #$(openssh-configuration-pidfile config))) + (let ((pid (primitive-fork))) + (case pid + ((0) + (execl (string-append #$openssh "/bin/ssh-keygen") + "ssh-keygen" "-A") + (else + (zero? (cdr (waitpid pid))))))) + (call-with-output-file "/etc/ssh/sshd_config" + (lambda (port) + (display + "# Generated by 'openssh-service'.\n" + port) + (format port "Protocol ~a\n" + #$(openssh-configuration-protocol-number config)) + (format port "Port ~a\n" + #$(number->string (openssh-configuration-port-number config))) + (format port "PermitRootLogin ~a\n" + #$(openssh-configuration-root-login config)) + (format port "PermitEmptyPasswords ~a\n" + #$(if (openssh-configuration-allow-empty-passwords? config) + "yes" "no")) + (format port "PasswordAuthentication ~a\n" + #$(if (openssh-configuration-password-authentication? config) + "yes" "no")) + (format port "PubkeyAuthentication ~a\n" + #$(if (openssh-configuration-pubkey-authentication? config) + "yes" "no")) + (format port "RSAAuthentication ~a\n" + #$(if (openssh-configuration-rsa-authentication? config) + "yes" "no")) + (format port "X11Forwarding ~a\n" + #$(if (openssh-configuration-x11-forwarding? config) + "yes" "no")) + (format port "PidFile ~a\n" + #$(openssh-configuration-pidfile config)))))) + +(define (openssh-shepherd-service config) + "Return a <shepherd-service> for openssh with CONFIG." + + (define pid-file + (openssh-configuration-pidfile config)) + + (define openssh-command + #~(list (string-append #$openssh "/sbin/sshd") + "-D")) + + (define requires + '(networking syslogd)) + + (list (shepherd-service + (documentation "Openssh SSH server.") + (requirement requires) + (provision '(ssh-daemon)) + (start #~(make-forkexec-constructor #$openssh-command + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))) + +(define openssh-service-type + (service-type (name 'openssh) + (extensions + (list (service-extension shepherd-root-service-type + openssh-shepherd-service) + (service-extension activation-service-type + openssh-activation) + (service-extension account-service-type + (const %openssh-accounts)))))) + +(define* (openssh-service #:optional (config (openssh-configuration))) + "Run the @command{sshd} program from @var{openssh} on port @var{port-number}. +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can +be one of \"1\", \"2\" or \"1,2\". + +@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and +@var{no}. It is used to allow root login through ssh. @var{without-password} +means that root login is allowed, except when loging with a password (eg: a +public key). + +When @var{allow-empty-passwords?} is true, users with empty passwords may log +in. When false, they may not. + +When @var{password-authentication?} is true, users may log in with their +password. When false, they have to use other means of authentication. + +When @var{pubkey-authentication?} is true, users may log in using public key +authentication. When false, users have to use other means of authentication. +Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only +by protocol 2. + +When @var{rsa-authentication?} is true, users may log in using pure RSA +authentication. When false, users have to use other means of authentication. +This is used only by protocol 1. + +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work." + (service openssh-service-type config)) + ;;; ;;; Dropbear. ;;; -- 2.9.2 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-05 12:18 [PATCH] openssh service Julien Lepiller @ 2016-08-05 13:47 ` Andy Wingo 2016-08-05 14:20 ` Julien Lepiller 0 siblings, 1 reply; 12+ messages in thread From: Andy Wingo @ 2016-08-05 13:47 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel On Fri 05 Aug 2016 14:18, Julien Lepiller <julien@lepiller.eu> writes: > here is a patch that adds a service definition for openssh. Very nice! > + (let ((pid (primitive-fork))) > + (case pid > + ((0) > + (execl (string-append #$openssh "/bin/ssh-keygen") > + "ssh-keygen" "-A") > + (else > + (zero? (cdr (waitpid pid))))))) I guess you could system* this one instead; would be easier I think. Dunno. Other than that looks all good to me. Would need an addition to the manual eventually though. Andy ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-05 13:47 ` Andy Wingo @ 2016-08-05 14:20 ` Julien Lepiller 2016-08-19 14:03 ` Julien Lepiller 0 siblings, 1 reply; 12+ messages in thread From: Julien Lepiller @ 2016-08-05 14:20 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 760 bytes --] On Fri, 05 Aug 2016 15:47:50 +0200 Andy Wingo <wingo@igalia.com> wrote: > On Fri 05 Aug 2016 14:18, Julien Lepiller <julien@lepiller.eu> writes: > > > here is a patch that adds a service definition for openssh. > > Very nice! > > > + (let ((pid (primitive-fork))) > > + (case pid > > + ((0) > > + (execl (string-append #$openssh "/bin/ssh-keygen") > > + "ssh-keygen" "-A") > > + (else > > + (zero? (cdr (waitpid pid))))))) > > I guess you could system* this one instead; would be easier I think. > Dunno. I modified my patch, so you can choose whichever feels better. > > Other than that looks all good to me. Would need an addition to the > manual eventually though. > > Andy [-- Attachment #2: 0001-services-Add-openssh.patch --] [-- Type: text/x-patch, Size: 7769 bytes --] From 198ed4efacadd72b4ccda617855fb7f409bedd3b Mon Sep 17 00:00:00 2001 From: Julien Lepiller <julien@lepiller.eu> Date: Fri, 5 Aug 2016 15:20:15 +0200 Subject: [PATCH] services: Add openssh * gnu/packages/ssh.scm: Openssh reads its configuration from /etc * gnu/services/ssh.scm: Add openssh-service --- gnu/packages/ssh.scm | 3 +- gnu/services/ssh.scm | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 140 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index bca4433..eec6673 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.") ("zlib" ,zlib) ("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y' (arguments - `(#:test-target "tests" + `(#:configure-flags `("--sysconfdir=/etc/ssh") + #:test-target "tests" #:phases (modify-phases %standard-phases (add-after 'configure 'reset-/var/empty diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9a7ea0f..60b9cec 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -19,9 +19,11 @@ (define-module (gnu services ssh) #:use-module (gnu packages ssh) + #:use-module (gnu packages admin) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix records) #:use-module (srfi srfi-26) @@ -30,6 +32,11 @@ lsh-service lsh-service-type + openssh-configuration + openssh-configuration? + openssh-service-type + openssh-service + dropbear-configuration dropbear-configuration? dropbear-service-type @@ -244,7 +251,137 @@ The other options should be self-descriptive." public-key-authentication?) (initialize? initialize?)))) -\f +;;; +;;; OpenSSH. +;;; + +(define-record-type* <openssh-configuration> + openssh-configuration make-openssh-configuration + openssh-configuration? + (pidfile openssh-configuration-pidfile + (default "/var/run/sshd.pid")) + (port-number openssh-configuration-port-number + (default 22)) + (root-login openssh-configuration-root-login + (default "without-password")) + (allow-empty-passwords? openssh-configuration-allow-empty-passwords? + (default #f)) + (password-authentication? openssh-configuration-password-authentication? + (default #t)) + (pubkey-authentication? openssh-configuration-pubkey-authentication? + (default #t)) + (rsa-authentication? openssh-configuration-rsa-authentication? + (default #t)) + (x11-forwarding? openssh-configuration-x11-forwarding? + (default #f)) + (protocol-number openssh-configuration-protocol-number + (default "2"))) + +(define %openssh-accounts + (list (user-group (name "sshd") (system? #t)) + (user-account + (name "sshd") + (group "sshd") + (system? #t) + (comment "sshd privilege separation user") + (home-directory "/var/run/sshd") + (shell #~(string-append #$shadow "/sbin/nologin"))))) + +(define (openssh-activation config) + "Return the activation GEXP for CONFIG." + #~(begin + (mkdir-p "/etc/ssh") + (mkdir-p (basename #$(openssh-configuration-pidfile config))) + (system* (string-append #$openssh "/bin/ssh-keygen") "-A") + (call-with-output-file "/etc/ssh/sshd_config" + (lambda (port) + (display + "# Generated by 'openssh-service'.\n" + port) + (format port "Protocol ~a\n" + #$(openssh-configuration-protocol-number config)) + (format port "Port ~a\n" + #$(number->string (openssh-configuration-port-number config))) + (format port "PermitRootLogin ~a\n" + #$(openssh-configuration-root-login config)) + (format port "PermitEmptyPasswords ~a\n" + #$(if (openssh-configuration-allow-empty-passwords? config) + "yes" "no")) + (format port "PasswordAuthentication ~a\n" + #$(if (openssh-configuration-password-authentication? config) + "yes" "no")) + (format port "PubkeyAuthentication ~a\n" + #$(if (openssh-configuration-pubkey-authentication? config) + "yes" "no")) + (format port "RSAAuthentication ~a\n" + #$(if (openssh-configuration-rsa-authentication? config) + "yes" "no")) + (format port "X11Forwarding ~a\n" + #$(if (openssh-configuration-x11-forwarding? config) + "yes" "no")) + (format port "PidFile ~a\n" + #$(openssh-configuration-pidfile config)))))) + +(define (openssh-shepherd-service config) + "Return a <shepherd-service> for openssh with CONFIG." + + (define pid-file + (openssh-configuration-pidfile config)) + + (define openssh-command + #~(list (string-append #$openssh "/sbin/sshd") + "-D")) + + (define requires + '(networking syslogd)) + + (list (shepherd-service + (documentation "Openssh SSH server.") + (requirement requires) + (provision '(ssh-daemon)) + (start #~(make-forkexec-constructor #$openssh-command + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))) + +(define openssh-service-type + (service-type (name 'openssh) + (extensions + (list (service-extension shepherd-root-service-type + openssh-shepherd-service) + (service-extension activation-service-type + openssh-activation) + (service-extension account-service-type + (const %openssh-accounts)))))) + +(define* (openssh-service #:optional (config (openssh-configuration))) + "Run the @command{sshd} program from @var{openssh} on port @var{port-number}. +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can +be one of \"1\", \"2\" or \"1,2\". + +@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and +@var{no}. It is used to allow root login through ssh. @var{without-password} +means that root login is allowed, except when loging with a password (eg: a +public key). + +When @var{allow-empty-passwords?} is true, users with empty passwords may log +in. When false, they may not. + +When @var{password-authentication?} is true, users may log in with their +password. When false, they have to use other means of authentication. + +When @var{pubkey-authentication?} is true, users may log in using public key +authentication. When false, users have to use other means of authentication. +Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only +by protocol 2. + +When @var{rsa-authentication?} is true, users may log in using pure RSA +authentication. When false, users have to use other means of authentication. +This is used only by protocol 1. + +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work." + (service openssh-service-type config)) + ;;; ;;; Dropbear. ;;; -- 2.9.2 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-05 14:20 ` Julien Lepiller @ 2016-08-19 14:03 ` Julien Lepiller 2016-08-19 14:15 ` Vincent Legoll 0 siblings, 1 reply; 12+ messages in thread From: Julien Lepiller @ 2016-08-19 14:03 UTC (permalink / raw) To: guix-devel On Fri, 5 Aug 2016 16:20:49 +0200 Julien Lepiller <julien@lepiller.eu> wrote: > On Fri, 05 Aug 2016 15:47:50 +0200 > Andy Wingo <wingo@igalia.com> wrote: > > > On Fri 05 Aug 2016 14:18, Julien Lepiller <julien@lepiller.eu> > > writes: > > > here is a patch that adds a service definition for openssh. > > > > Very nice! > > > > > + (let ((pid (primitive-fork))) > > > + (case pid > > > + ((0) > > > + (execl (string-append #$openssh "/bin/ssh-keygen") > > > + "ssh-keygen" "-A") > > > + (else > > > + (zero? (cdr (waitpid pid))))))) > > > > I guess you could system* this one instead; would be easier I think. > > Dunno. > > I modified my patch, so you can choose whichever feels better. > > > > > Other than that looks all good to me. Would need an addition to the > > manual eventually though. > > > > > Andy > Hi, It's been a bit of time since I posted the patch, but didn't hear any news about it. What's wrong with it? Is it that I misunderstood the "Would need an addition to the manual eventually though"? Does that mean I need to add an entry to the manual myself (if so, could you tell me what file to edit?) ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-19 14:03 ` Julien Lepiller @ 2016-08-19 14:15 ` Vincent Legoll 2016-08-19 14:31 ` Julien Lepiller 0 siblings, 1 reply; 12+ messages in thread From: Vincent Legoll @ 2016-08-19 14:15 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel Hello, On Fri, Aug 19, 2016 at 4:03 PM, Julien Lepiller <julien@lepiller.eu> wrote: > Does that mean I need to add an entry to the manual myself (if so, could > you tell me what file to edit?) I think that would be doc/guix.texi in http://git.savannah.gnu.org/cgit/guix.git -- Vincent Legoll ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-19 14:15 ` Vincent Legoll @ 2016-08-19 14:31 ` Julien Lepiller 2016-08-26 10:51 ` Andy Wingo 2016-08-29 15:06 ` Ludovic Courtès 0 siblings, 2 replies; 12+ messages in thread From: Julien Lepiller @ 2016-08-19 14:31 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 437 bytes --] On Fri, 19 Aug 2016 16:15:48 +0200 Vincent Legoll <vincent.legoll@gmail.com> wrote: > Hello, > > On Fri, Aug 19, 2016 at 4:03 PM, Julien Lepiller <julien@lepiller.eu> > wrote: > > Does that mean I need to add an entry to the manual myself (if so, > > could you tell me what file to edit?) > > I think that would be doc/guix.texi > in http://git.savannah.gnu.org/cgit/guix.git > Thank you, here is the patch with the documentation. [-- Attachment #2: 0001-services-Add-openssh.patch --] [-- Type: text/x-patch, Size: 9932 bytes --] From 070513c1768763c80cad47832f895320fcc223be Mon Sep 17 00:00:00 2001 From: Julien Lepiller <julien@lepiller.eu> Date: Fri, 5 Aug 2016 15:20:15 +0200 Subject: [PATCH] services: Add openssh * gnu/packages/ssh.scm: Openssh reads its configuration from /etc * gnu/services/ssh.scm: Add openssh-service * doc/guix.texi (Networking Services): Document 'openssh-services'. --- doc/guix.texi | 34 +++++++++++++ gnu/packages/ssh.scm | 3 +- gnu/services/ssh.scm | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 174 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 5330238..6be91ee 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8042,6 +8042,40 @@ root. The other options should be self-descriptive. @end deffn +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @ + [#:port-number 22] [#:root-login "without-password"] @ + [#:allow-empty-passwords #f] [#:password-authentication? #t] @ + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ + [#:x11-forwarding? #f] [#:protocol-number "2"] +"Run the @command{sshd} program from @var{openssh} on port @var{port-number}. +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can +be one of \"1\", \"2\" or \"1,2\". + +@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and +@var{no}. It is used to allow root login through ssh. @var{without-password} +means that root login is allowed, except when loging with a password (eg: a +public key). + +When @var{allow-empty-passwords?} is true, users with empty passwords may log +in. When false, they may not. + +When @var{password-authentication?} is true, users may log in with their +password. When false, they have to use other means of authentication. + +When @var{pubkey-authentication?} is true, users may log in using public key +authentication. When false, users have to use other means of authentication. +Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only +by protocol 2. + +When @var{rsa-authentication?} is true, users may log in using pure RSA +authentication. When false, users have to use other means of authentication. +This is used only by protocol 1. + +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work. + +@end deffn + @deffn {Scheme Procedure} dropbear-service [@var{config}] Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{<dropbear-configuration>} diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index 16cd6e2..457e78b 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.") ("zlib" ,zlib) ("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y' (arguments - `(#:test-target "tests" + `(#:configure-flags `("--sysconfdir=/etc/ssh") + #:test-target "tests" #:phases (modify-phases %standard-phases (add-after 'configure 'reset-/var/empty diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9a7ea0f..60b9cec 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -19,9 +19,11 @@ (define-module (gnu services ssh) #:use-module (gnu packages ssh) + #:use-module (gnu packages admin) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix records) #:use-module (srfi srfi-26) @@ -30,6 +32,11 @@ lsh-service lsh-service-type + openssh-configuration + openssh-configuration? + openssh-service-type + openssh-service + dropbear-configuration dropbear-configuration? dropbear-service-type @@ -244,7 +251,137 @@ The other options should be self-descriptive." public-key-authentication?) (initialize? initialize?)))) -\f +;;; +;;; OpenSSH. +;;; + +(define-record-type* <openssh-configuration> + openssh-configuration make-openssh-configuration + openssh-configuration? + (pidfile openssh-configuration-pidfile + (default "/var/run/sshd.pid")) + (port-number openssh-configuration-port-number + (default 22)) + (root-login openssh-configuration-root-login + (default "without-password")) + (allow-empty-passwords? openssh-configuration-allow-empty-passwords? + (default #f)) + (password-authentication? openssh-configuration-password-authentication? + (default #t)) + (pubkey-authentication? openssh-configuration-pubkey-authentication? + (default #t)) + (rsa-authentication? openssh-configuration-rsa-authentication? + (default #t)) + (x11-forwarding? openssh-configuration-x11-forwarding? + (default #f)) + (protocol-number openssh-configuration-protocol-number + (default "2"))) + +(define %openssh-accounts + (list (user-group (name "sshd") (system? #t)) + (user-account + (name "sshd") + (group "sshd") + (system? #t) + (comment "sshd privilege separation user") + (home-directory "/var/run/sshd") + (shell #~(string-append #$shadow "/sbin/nologin"))))) + +(define (openssh-activation config) + "Return the activation GEXP for CONFIG." + #~(begin + (mkdir-p "/etc/ssh") + (mkdir-p (basename #$(openssh-configuration-pidfile config))) + (system* (string-append #$openssh "/bin/ssh-keygen") "-A") + (call-with-output-file "/etc/ssh/sshd_config" + (lambda (port) + (display + "# Generated by 'openssh-service'.\n" + port) + (format port "Protocol ~a\n" + #$(openssh-configuration-protocol-number config)) + (format port "Port ~a\n" + #$(number->string (openssh-configuration-port-number config))) + (format port "PermitRootLogin ~a\n" + #$(openssh-configuration-root-login config)) + (format port "PermitEmptyPasswords ~a\n" + #$(if (openssh-configuration-allow-empty-passwords? config) + "yes" "no")) + (format port "PasswordAuthentication ~a\n" + #$(if (openssh-configuration-password-authentication? config) + "yes" "no")) + (format port "PubkeyAuthentication ~a\n" + #$(if (openssh-configuration-pubkey-authentication? config) + "yes" "no")) + (format port "RSAAuthentication ~a\n" + #$(if (openssh-configuration-rsa-authentication? config) + "yes" "no")) + (format port "X11Forwarding ~a\n" + #$(if (openssh-configuration-x11-forwarding? config) + "yes" "no")) + (format port "PidFile ~a\n" + #$(openssh-configuration-pidfile config)))))) + +(define (openssh-shepherd-service config) + "Return a <shepherd-service> for openssh with CONFIG." + + (define pid-file + (openssh-configuration-pidfile config)) + + (define openssh-command + #~(list (string-append #$openssh "/sbin/sshd") + "-D")) + + (define requires + '(networking syslogd)) + + (list (shepherd-service + (documentation "Openssh SSH server.") + (requirement requires) + (provision '(ssh-daemon)) + (start #~(make-forkexec-constructor #$openssh-command + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))) + +(define openssh-service-type + (service-type (name 'openssh) + (extensions + (list (service-extension shepherd-root-service-type + openssh-shepherd-service) + (service-extension activation-service-type + openssh-activation) + (service-extension account-service-type + (const %openssh-accounts)))))) + +(define* (openssh-service #:optional (config (openssh-configuration))) + "Run the @command{sshd} program from @var{openssh} on port @var{port-number}. +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can +be one of \"1\", \"2\" or \"1,2\". + +@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and +@var{no}. It is used to allow root login through ssh. @var{without-password} +means that root login is allowed, except when loging with a password (eg: a +public key). + +When @var{allow-empty-passwords?} is true, users with empty passwords may log +in. When false, they may not. + +When @var{password-authentication?} is true, users may log in with their +password. When false, they have to use other means of authentication. + +When @var{pubkey-authentication?} is true, users may log in using public key +authentication. When false, users have to use other means of authentication. +Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only +by protocol 2. + +When @var{rsa-authentication?} is true, users may log in using pure RSA +authentication. When false, users have to use other means of authentication. +This is used only by protocol 1. + +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work." + (service openssh-service-type config)) + ;;; ;;; Dropbear. ;;; -- 2.9.3 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-19 14:31 ` Julien Lepiller @ 2016-08-26 10:51 ` Andy Wingo 2016-09-26 16:42 ` Julien Lepiller 2016-08-29 15:06 ` Ludovic Courtès 1 sibling, 1 reply; 12+ messages in thread From: Andy Wingo @ 2016-08-26 10:51 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel Hi Julien, Thanks for the documentation update! On Fri 19 Aug 2016 16:31, Julien Lepiller <julien@lepiller.eu> writes: > +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @ > + [#:port-number 22] [#:root-login "without-password"] @ > + [#:allow-empty-passwords #f] [#:password-authentication? #t] @ > + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ > + [#:x11-forwarding? #f] [#:protocol-number "2"] > +"Run the @command{sshd} program from @var{openssh} on port @var{port-number}. > +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It > +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can > +be one of \"1\", \"2\" or \"1,2\". > + > +@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and > +@var{no}. It is used to allow root login through ssh. @var{without-password} > +means that root login is allowed, except when loging with a password (eg: a > +public key). The variable needs to be changed to @var{root-login} (and I think probably @var{permit-root-login} would be more expected), and probably "without-password" should be a symbol rather than a string. In general I think naming the keywords after the upstream options is going to be the least confusing thing for users. Consider changing from yes/no/without-password to #t/#f/without-password, and renaming the option to #:permit-root-login?. Consider requiring that the protocol number be either 1 or 2. In general we want to make errors happen early, when building the OS, rather than when the OS is booted. WDYT? Andy ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-26 10:51 ` Andy Wingo @ 2016-09-26 16:42 ` Julien Lepiller 2016-09-29 21:15 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: Julien Lepiller @ 2016-09-26 16:42 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 2104 bytes --] On Fri, 26 Aug 2016 12:51:56 +0200 Andy Wingo <wingo@igalia.com> wrote: > Hi Julien, > > Thanks for the documentation update! > > On Fri 19 Aug 2016 16:31, Julien Lepiller <julien@lepiller.eu> writes: > > > +@deffn {Scheme Procedure} openssh-service [#:pidfile > > "/var/run/sshd.pid"] @ > > + [#:port-number 22] [#:root-login "without-password"] @ > > + [#:allow-empty-passwords #f] [#:password-authentication? > > #t] @ > > + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ > > + [#:x11-forwarding? #f] [#:protocol-number "2"] > > +"Run the @command{sshd} program from @var{openssh} on port > > @var{port-number}. +@command{sshd} runs an ssh daemon and writes > > its PID to @var{pidfile}. It +understands ssh protocol > > @var{protocol-number}. The @var{protocol-number} can +be one of > > \"1\", \"2\" or \"1,2\". + > > +@var{PermitRootLogin} takes one of @var{yes}, > > @var{without-password} and +@var{no}. It is used to allow root > > login through ssh. @var{without-password} +means that root login is > > allowed, except when loging with a password (eg: a +public key). > > The variable needs to be changed to @var{root-login} (and I think > probably @var{permit-root-login} would be more expected), and probably > "without-password" should be a symbol rather than a string. In > general I think naming the keywords after the upstream options is > going to be the least confusing thing for users. Consider changing > from yes/no/without-password to #t/#f/without-password, and renaming > the option to #:permit-root-login?. Consider requiring that the > protocol number be either 1 or 2. In general we want to make errors > happen early, when building the OS, rather than when the OS is booted. Sorry for the delay, here is a new version of the patch. Meanwhile, sysconfdir was set to /etc, but I changed this for /etc/ssh, because openssh looks for its configuration and other files (about 10) directly in sysconfdir, not a subdirectory. Also, I fixed a mistake in openssh-service (it was not following what the doc said). > > WDYT? > > Andy [-- Attachment #2: 0001-services-Add-openssh.patch --] [-- Type: text/x-patch, Size: 9701 bytes --] From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001 From: Julien Lepiller <julien@lepiller.eu> Date: Fri, 5 Aug 2016 15:20:15 +0200 Subject: [PATCH] services: Add openssh * gnu/packages/ssh.scm: Openssh reads its configuration from /etc * gnu/services/ssh.scm: Add openssh-service * doc/guix.texi (Networking Services): Document 'openssh-services'. --- doc/guix.texi | 34 ++++++++++++++ gnu/packages/ssh.scm | 2 +- gnu/services/ssh.scm | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 161 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 808fbdc..bcd8b6b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8199,6 +8199,40 @@ root. The other options should be self-descriptive. @end deffn +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @ + [#:port-number 22] [#:permit-root-login 'without-password] @ + [#:allow-empty-passwords #f] [#:password-authentication? #t] @ + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ + [#:x11-forwarding? #f] [#:protocol-number "2"] +"Run the @command{sshd} program from @var{openssh} on port @var{port-number}. +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can +be either 1 or 2. + +@var{permit-root-login} takes one of @var{yes}, @var{without-password} and +@var{no}. It is used to allow root login through ssh. @var{without-password} +means that root login is allowed, except when loging with a password (eg: a +public key). + +When @var{allow-empty-passwords?} is true, users with empty passwords may log +in. When false, they may not. + +When @var{password-authentication?} is true, users may log in with their +password. When false, they have to use other means of authentication. + +When @var{pubkey-authentication?} is true, users may log in using public key +authentication. When false, users have to use other means of authentication. +Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only +by protocol 2. + +When @var{rsa-authentication?} is true, users may log in using pure RSA +authentication. When false, users have to use other means of authentication. +This is used only by protocol 1. + +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work. + +@end deffn + @deffn {Scheme Procedure} dropbear-service [@var{config}] Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{<dropbear-configuration>} diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index b2612a4..88bfd06 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -144,7 +144,7 @@ a server that supports the SSH-2 protocol.") ("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y' (arguments `(#:test-target "tests" - #:configure-flags '("--sysconfdir=/etc" + #:configure-flags '("--sysconfdir=/etc/ssh" ;; Default value of 'PATH' used by sshd. "--with-default-path=/run/current-system/profile/bin" diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 462988c..5484463 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -19,9 +19,11 @@ (define-module (gnu services ssh) #:use-module (gnu packages ssh) + #:use-module (gnu packages admin) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix records) #:use-module (srfi srfi-26) @@ -30,6 +32,11 @@ lsh-service lsh-service-type + openssh-configuration + openssh-configuration? + openssh-service-type + openssh-service + dropbear-configuration dropbear-configuration? dropbear-service-type @@ -244,7 +251,125 @@ The other options should be self-descriptive." public-key-authentication?) (initialize? initialize?)))) -\f +;;; +;;; OpenSSH. +;;; + +(define-record-type* <openssh-configuration> + openssh-configuration make-openssh-configuration + openssh-configuration? + (pidfile openssh-configuration-pidfile) + (port-number openssh-configuration-port-number) + (permit-root-login? openssh-configuration-permit-root-login) + (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) + (password-authentication? openssh-configuration-password-authentication?) + (pubkey-authentication? openssh-configuration-pubkey-authentication?) + (rsa-authentication? openssh-configuration-rsa-authentication?) + (x11-forwarding? openssh-configuration-x11-forwarding?) + (protocol-number openssh-configuration-protocol-number)) + +(define %openssh-accounts + (list (user-group (name "sshd") (system? #t)) + (user-account + (name "sshd") + (group "sshd") + (system? #t) + (comment "sshd privilege separation user") + (home-directory "/var/run/sshd") + (shell #~(string-append #$shadow "/sbin/nologin"))))) + +(define (openssh-activation config) + "Return the activation GEXP for CONFIG." + #~(begin + (mkdir-p "/etc/ssh") + (mkdir-p (basename #$(openssh-configuration-pidfile config))) + (system* (string-append #$openssh "/bin/ssh-keygen") "-A") + (call-with-output-file "/etc/ssh/sshd_config" + (lambda (port) + (display + "# Generated by 'openssh-service'.\n" + port) + (format port "Protocol ~a\n" + #$(if (eq? (openssh-configuration-protocol-number config) 1) + "1" "2")) + (format port "Port ~a\n" + #$(number->string (openssh-configuration-port-number config))) + (format port "PermitRootLogin ~a\n" + #$(if (eq? (openssh-configuration-permit-root-login config) #t) + "yes" (if (eq? + (openssh-configuration-permit-root-login config) + #f) + "no" "without-password"))) + (format port "PermitEmptyPasswords ~a\n" + #$(if (openssh-configuration-allow-empty-passwords? config) + "yes" "no")) + (format port "PasswordAuthentication ~a\n" + #$(if (openssh-configuration-password-authentication? config) + "yes" "no")) + (format port "PubkeyAuthentication ~a\n" + #$(if (openssh-configuration-pubkey-authentication? config) + "yes" "no")) + (format port "RSAAuthentication ~a\n" + #$(if (openssh-configuration-rsa-authentication? config) + "yes" "no")) + (format port "X11Forwarding ~a\n" + #$(if (openssh-configuration-x11-forwarding? config) + "yes" "no")) + (format port "PidFile ~a\n" + #$(openssh-configuration-pidfile config)))))) + +(define (openssh-shepherd-service config) + "Return a <shepherd-service> for openssh with CONFIG." + + (define pid-file + (openssh-configuration-pidfile config)) + + (define openssh-command + #~(list (string-append #$openssh "/sbin/sshd") + "-D")) + + (define requires + '(networking syslogd)) + + (list (shepherd-service + (documentation "Openssh SSH server.") + (requirement requires) + (provision '(ssh-daemon)) + (start #~(make-forkexec-constructor #$openssh-command + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))) + +(define openssh-service-type + (service-type (name 'openssh) + (extensions + (list (service-extension shepherd-root-service-type + openssh-shepherd-service) + (service-extension activation-service-type + openssh-activation) + (service-extension account-service-type + (const %openssh-accounts)))))) + +(define* (openssh-service #:key + (pidfile "/var/run/sshd.pid") + (port-number 22) + (permit-root-login? 'without-password) + (allow-empty-passwords? #f) + (password-authentication? #t) + (pubkey-authentication? #t) + (rsa-authentication? #t) + (x11-forwarding? #f) + (protocol-number 2)) + (service openssh-service-type (openssh-configuration (pidfile pidfile) + (port-number port-number) + (permit-root-login? permit-root-login?) + (allow-empty-passwords? allow-empty-passwords?) + (password-authentication? password-authentication?) + (pubkey-authentication? pubkey-authentication?) + (rsa-authentication? rsa-authentication?) + (x11-forwarding? x11-forwarding?) + (protocol-number protocol-number)))) + + ;;; ;;; Dropbear. ;;; -- 2.10.0 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-09-26 16:42 ` Julien Lepiller @ 2016-09-29 21:15 ` Ludovic Courtès 2016-10-02 22:42 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2016-09-29 21:15 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel Hi Julien, Julien Lepiller <julien@lepiller.eu> skribis: > Sorry for the delay, here is a new version of the patch. > > Meanwhile, sysconfdir was set to /etc, but I changed this for /etc/ssh, > because openssh looks for its configuration and other files (about 10) > directly in sysconfdir, not a subdirectory. Also, I fixed a mistake in > openssh-service (it was not following what the doc said). [...] > From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001 > From: Julien Lepiller <julien@lepiller.eu> > Date: Fri, 5 Aug 2016 15:20:15 +0200 > Subject: [PATCH] services: Add openssh > > * gnu/packages/ssh.scm: Openssh reads its configuration from /etc > * gnu/services/ssh.scm: Add openssh-service > * doc/guix.texi (Networking Services): Document 'openssh-services'. Pushed as 071fbb42a6e2dcdfd566cba9525e6ae6a4dfdc7d with a few changes. In particular, I changed the config file to be passed as a command-line option rather than added to /etc/ssh (this is generally preferable.) Eventually I’d like to document and expose of ‘openssh-configuration’. Thanks! Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-09-29 21:15 ` Ludovic Courtès @ 2016-10-02 22:42 ` Ludovic Courtès 2016-10-03 16:01 ` Ludovic Courtès 0 siblings, 1 reply; 12+ messages in thread From: Ludovic Courtès @ 2016-10-02 22:42 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel ludo@gnu.org (Ludovic Courtès) skribis: > Julien Lepiller <julien@lepiller.eu> skribis: [...] >> From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001 >> From: Julien Lepiller <julien@lepiller.eu> >> Date: Fri, 5 Aug 2016 15:20:15 +0200 >> Subject: [PATCH] services: Add openssh >> >> * gnu/packages/ssh.scm: Openssh reads its configuration from /etc >> * gnu/services/ssh.scm: Add openssh-service >> * doc/guix.texi (Networking Services): Document 'openssh-services'. > > Pushed as 071fbb42a6e2dcdfd566cba9525e6ae6a4dfdc7d with a few changes. > In particular, I changed the config file to be passed as a command-line > option rather than added to /etc/ssh (this is generally preferable.) > > Eventually I’d like to document and expose of ‘openssh-configuration’. Done in d8f3128119d32bcc186c8a1fe15b037bba25b4b8, let me know what you think! I also added a basic system test in d5b0c9024ed174907aed4816b2607ada814a035c. It makes sure that sshd is started and that we can connect to it as root with an empty password, as specified in the system config. Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-10-02 22:42 ` Ludovic Courtès @ 2016-10-03 16:01 ` Ludovic Courtès 0 siblings, 0 replies; 12+ messages in thread From: Ludovic Courtès @ 2016-10-03 16:01 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel ludo@gnu.org (Ludovic Courtès) skribis: > I also added a basic system test in > d5b0c9024ed174907aed4816b2607ada814a035c. It makes sure that sshd is > started and that we can connect to it as root with an empty password, as > specified in the system config. Commit 2b4363891c70bbf641bff8ff0a6fb7526babd5b9 extends the test for Dropbear. :-) (lshd is harder to test because it needs keyboard input to generate the seed, or we’d need to provide it with a dummy seed or something.) Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH] openssh service 2016-08-19 14:31 ` Julien Lepiller 2016-08-26 10:51 ` Andy Wingo @ 2016-08-29 15:06 ` Ludovic Courtès 1 sibling, 0 replies; 12+ messages in thread From: Ludovic Courtès @ 2016-08-29 15:06 UTC (permalink / raw) To: Julien Lepiller; +Cc: guix-devel Hi Julien, I just discovered this patch as I go through my backlog, which is fun because I used sshd as an example to illustrate how GuixSD services work just a week ago. :-) Julien Lepiller <julien@lepiller.eu> skribis: > +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @ #:pid-file > + [#:port-number 22] [#:root-login "without-password"] @ > + [#:allow-empty-passwords #f] [#:password-authentication? #t] @ > + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ > + [#:x11-forwarding? #f] [#:protocol-number "2"] I agree with Andy’s latest comments regarding naming. Also, make sure to consistently use question marks for Boolean options, as in #:allow-empty-passwords?. Last thing, I would prefer to expose and document <openssh-configuration>, as is done for Dropbear. We should encourage this style now, IMO. (In commit 39012aab3333868d5ab3b39c95682f95212437e2 I enabled PAM support in OpenSSH, though it’s off by default; maybe in a future patch we can add #:pam-support?.) > --- a/gnu/packages/ssh.scm > +++ b/gnu/packages/ssh.scm > @@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.") > ("zlib" ,zlib) > ("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y' > (arguments > - `(#:test-target "tests" > + `(#:configure-flags `("--sysconfdir=/etc/ssh") > + #:test-target "tests" I committed this part independently as af493726ce16483bd09ed7f73028bab3294131e2. :-) > +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work." @option{-X} and @option{-Y}. These are all cosmetic details. If you prefer I can do it on your behalf, just let me know; otherwise, please send an updated patch. Thank you for your work! Ludo’. ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2016-10-03 16:01 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-08-05 12:18 [PATCH] openssh service Julien Lepiller 2016-08-05 13:47 ` Andy Wingo 2016-08-05 14:20 ` Julien Lepiller 2016-08-19 14:03 ` Julien Lepiller 2016-08-19 14:15 ` Vincent Legoll 2016-08-19 14:31 ` Julien Lepiller 2016-08-26 10:51 ` Andy Wingo 2016-09-26 16:42 ` Julien Lepiller 2016-09-29 21:15 ` Ludovic Courtès 2016-10-02 22:42 ` Ludovic Courtès 2016-10-03 16:01 ` Ludovic Courtès 2016-08-29 15:06 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).