From: "Clément Lassieur" <clement@lassieur.org>
To: guix-devel@gnu.org
Subject: [PATCH 0/2] Openssh service patches
Date: Fri, 17 Feb 2017 17:37:06 +0100 [thread overview]
Message-ID: <20170217163708.10743-1-clement@lassieur.org> (raw)
The first patch adds PAM to OpenSSH service, and enables it by default.
This allows to log in (with a public key) if the account is locked.
Otherwise, one would have to set up a password manually or, say, put '*' in
/etc/shadow (with 'usermod -p'). It matters because accounts created by
GuixSD are locked.
Whether to enable it by default is debatable because it is disabled upstream,
but it is enabled on every distribution I had a look at.
The relevant part of the documentation is:
--8<---------------cut here---------------start------------->8---
UsePAM Enables the Pluggable Authentication Module interface. If set to
yes this will enable PAM authentication using
ChallengeResponseAuthentication and PasswordAuthentication in
addition to PAM account and session module processing for all
authentication types.
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
--8<---------------cut here---------------end--------------->8---
It also explains why I set ChallengeResponseAuthentication to 'no' by default.
The second patch removes the 'RSAAuthentication' option, which causes warnings
because it is deprecated.
Clément Lassieur (2):
services: openssh: Use PAM in sshd by default.
services: openssh: remove deprecated 'RSAAuthentication' option.
gnu/services/ssh.scm | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
--
2.11.1
next reply other threads:[~2017-02-17 16:37 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-17 16:37 Clément Lassieur [this message]
2017-02-17 16:37 ` [PATCH 1/2] services: openssh: Use PAM in sshd by default Clément Lassieur
2017-02-17 16:37 ` [PATCH 2/2] services: openssh: remove deprecated 'RSAAuthentication' option Clément Lassieur
2017-02-17 17:18 ` [PATCH 0/2] Openssh service patches ng0
2017-02-17 17:45 ` Julien Lepiller
2017-02-18 11:46 ` [PATCH 1/2] services: openssh: Enable PAM Clément Lassieur
2017-02-18 11:46 ` [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option Clément Lassieur
2017-02-18 15:43 ` Ricardo Wurmus
2017-02-18 18:32 ` Clément Lassieur
2017-02-19 18:54 ` ng0
2017-02-20 23:53 ` [PATCH 0/4] Openssh service patches Clément Lassieur
2017-02-20 23:53 ` [PATCH 1/4] services: openssh: Enable PAM Clément Lassieur
2017-02-22 9:22 ` Clément Lassieur
2017-02-22 21:07 ` [PATCH] " Clément Lassieur
2017-03-02 7:34 ` Danny Milosavljevic
2017-02-20 23:53 ` [PATCH 2/4] services: openssh: Remove deprecated options Clément Lassieur
2017-03-02 7:45 ` Danny Milosavljevic
2017-02-20 23:53 ` [PATCH 3/4] services: openssh: Fix 'PrintLastLog' default behaviour Clément Lassieur
2017-03-02 7:37 ` Danny Milosavljevic
2017-03-02 21:03 ` Clément Lassieur
2017-03-02 21:06 ` [PATCH 1/3] services: openssh: Enable PAM Clément Lassieur
2017-03-02 21:06 ` [PATCH 2/3] services: openssh: Remove deprecated options Clément Lassieur
2017-03-03 10:16 ` Danny Milosavljevic
2017-03-09 22:37 ` Leo Famulari
2017-03-02 21:06 ` [PATCH 3/3] services: openssh: Fix 'PrintLastLog' default behaviour Clément Lassieur
2017-03-03 10:19 ` Danny Milosavljevic
2017-03-09 22:37 ` Leo Famulari
2017-03-03 10:16 ` [PATCH 1/3] services: openssh: Enable PAM Danny Milosavljevic
2017-03-09 22:37 ` Leo Famulari
2017-03-10 18:25 ` Danny Milosavljevic
2017-02-20 23:53 ` [PATCH 4/4] services: openssh: Add 'subsystems' option Clément Lassieur
2017-03-02 7:44 ` Danny Milosavljevic
2017-03-02 21:00 ` Clément Lassieur
2017-03-05 14:50 ` ng0
2017-03-07 20:49 ` Danny Milosavljevic
2017-03-07 21:01 ` Clément Lassieur
2017-03-16 10:03 ` Ludovic Courtès
2017-03-16 20:45 ` ng0
2017-03-16 20:50 ` Clément Lassieur
2017-03-17 5:36 ` John Darrington
2017-03-17 11:08 ` grammar usage (was: Re: [PATCH 4/4] services: openssh: Add 'subsystems' option.) ng0
2017-03-17 10:28 ` John Darrington
2017-03-17 10:42 ` ng0
2017-03-17 10:47 ` John Darrington
2017-03-17 10:57 ` grammar usage Andy Wingo
2017-03-17 11:12 ` John Darrington
2017-03-17 11:28 ` Andy Wingo
2017-03-17 13:58 ` Ricardo Wurmus
2017-03-17 14:13 ` John Darrington
2017-03-17 16:43 ` Mathieu Lirzin
2017-03-18 13:52 ` Ludovic Courtès
2017-03-17 11:31 ` ng0
2017-03-17 16:13 ` grammar usage (was: Re: [PATCH 4/4] services: openssh: Add 'subsystems' option.) Tobias Geerinckx-Rice
2017-03-17 17:50 ` John Darrington
2017-03-17 16:21 ` [PATCH 4/4] services: openssh: Add 'subsystems' option Leo Famulari
2017-03-17 17:58 ` John Darrington
2017-03-18 11:09 ` ng0
2017-03-18 11:45 ` Mathieu Lirzin
2017-03-18 11:52 ` ng0
2017-03-18 12:10 ` John Darrington
2017-03-18 12:17 ` Catonano
2017-03-18 12:28 ` Catonano
2017-03-18 13:43 ` Being excellent to one another Ludovic Courtès
2017-03-19 15:47 ` dian_cecht
2017-03-19 16:33 ` John Darrington
2017-03-19 21:21 ` Ludovic Courtès
2017-03-19 22:40 ` Christopher Allan Webber
2017-03-20 2:57 ` dian_cecht
2017-03-20 6:36 ` John Darrington
2017-03-20 8:57 ` Alex Sassmannshausen
2017-03-20 9:54 ` John Darrington
2017-03-20 10:17 ` Alex Sassmannshausen
2017-03-20 10:44 ` John Darrington
2017-03-20 11:08 ` Catonano
2017-03-20 11:21 ` Alex Sassmannshausen
2017-03-20 11:53 ` Pjotr Prins
2017-03-20 12:12 ` ng0
2017-03-20 12:12 ` John Darrington
2017-03-20 12:10 ` John Darrington
2017-03-20 14:27 ` Ludovic Courtès
2017-03-20 14:40 ` John Darrington
2017-03-20 23:54 ` dian_cecht
2017-03-21 8:50 ` Ricardo Wurmus
2017-03-20 11:02 ` Catonano
2017-03-20 15:09 ` Christopher Allan Webber
2017-03-20 15:17 ` John Darrington
2017-03-20 15:49 ` Ludovic Courtès
2017-03-20 17:12 ` John Darrington
2017-03-21 9:14 ` Alex Sassmannshausen
2017-03-21 10:02 ` pelzflorian (Florian Pelz)
2017-03-21 12:07 ` John Darrington
2017-03-21 12:17 ` ng0
2017-03-21 12:26 ` John Darrington
2017-03-21 12:36 ` ng0
2017-03-21 12:38 ` ng0
2017-03-21 14:50 ` [EOT] " Ricardo Wurmus
2017-03-19 16:50 ` [PATCH 4/4] services: openssh: Add 'subsystems' option Clément Lassieur
2017-03-21 0:17 ` Clément Lassieur
2017-02-18 15:45 ` [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option Ricardo Wurmus
2017-02-18 18:07 ` Clément Lassieur
2017-02-18 11:47 ` [PATCH 0/2] Openssh service patches Clément Lassieur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170217163708.10743-1-clement@lassieur.org \
--to=clement@lassieur.org \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).