From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: [PATCH 0/2] Openssh service patches Date: Fri, 17 Feb 2017 17:18:33 +0000 Message-ID: <20170217171833.iazdehmarsnpjvdm@wasp> References: <20170217163708.10743-1-clement@lassieur.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38696) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cem9C-0003RH-4h for guix-devel@gnu.org; Fri, 17 Feb 2017 12:16:43 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cem98-0001Vn-Vu for guix-devel@gnu.org; Fri, 17 Feb 2017 12:16:42 -0500 Received: from perdizione.investici.org ([2001:41d0:2:33d0::19]:45886) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cem98-0001VQ-Lq for guix-devel@gnu.org; Fri, 17 Feb 2017 12:16:38 -0500 Content-Disposition: inline In-Reply-To: <20170217163708.10743-1-clement@lassieur.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: =?utf-8?Q?Cl=C3=A9ment?= Lassieur Cc: guix-devel@gnu.org On 17-02-17 17:37:06, Cl=C3=A9ment Lassieur wrote: > The first patch adds PAM to OpenSSH service, and enables it by default. Definitely a good idea. If this is applied I think it should be communicated if it breaks peoples configurations. On the other hand, guix reconfigure lint already complains if an option is no longer present. I think notifying about certain changes if they break previous configurations is nice to have (but not mandatory, just the way I would d= o it). =20 The code looks reasonable, I haven't applied the changes to review it. > This allows to log in (with a public key) if the account is locked. > Otherwise, one would have to set up a password manually or, say, put '*= ' in > /etc/shadow (with 'usermod -p'). It matters because accounts created b= y > GuixSD are locked. >=20 > Whether to enable it by default is debatable because it is disabled ups= tream, > but it is enabled on every distribution I had a look at. >=20 > The relevant part of the documentation is: >=20 > --8<---------------cut here---------------start------------->8--- > UsePAM Enables the Pluggable Authentication Module interface. If set = to > yes this will enable PAM authentication using > ChallengeResponseAuthentication and PasswordAuthentication in > addition to PAM account and session module processing for all > authentication types. >=20 > Because PAM challenge-response authentication usually serves an > equivalent role to password authentication, you should disable > either PasswordAuthentication or ChallengeResponseAuthenticatio= n. >=20 > If UsePAM is enabled, you will not be able to run sshd(8) as a > non-root user. The default is no. > --8<---------------cut here---------------end--------------->8--- >=20 > It also explains why I set ChallengeResponseAuthentication to 'no' by d= efault. >=20 > The second patch removes the 'RSAAuthentication' option, which causes w= arnings > because it is deprecated. >=20 > Cl=C3=A9ment Lassieur (2): > services: openssh: Use PAM in sshd by default. > services: openssh: remove deprecated 'RSAAuthentication' option. >=20 > gnu/services/ssh.scm | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) >=20 > --=20 > 2.11.1 >=20 >=20 --=20 ng0 -- https://www.inventati.org/patternsinthechaos/