From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Lepiller Subject: Re: [PATCH 0/2] Openssh service patches Date: Fri, 17 Feb 2017 18:45:29 +0100 Message-ID: <20170217184529.3a610d81@lepiller.eu> References: <20170217163708.10743-1-clement@lassieur.org> <20170217171833.iazdehmarsnpjvdm@wasp> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:44757) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cembc-0008L4-HN for guix-devel@gnu.org; Fri, 17 Feb 2017 12:46:05 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cembY-0005nJ-Jj for guix-devel@gnu.org; Fri, 17 Feb 2017 12:46:04 -0500 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:48431 helo=skaro.lepiller.eu) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cembY-0005n1-5v for guix-devel@gnu.org; Fri, 17 Feb 2017 12:46:00 -0500 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id 417A881197 for ; Fri, 17 Feb 2017 18:45:57 +0100 (CET) Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ocxZWYYQBw7Z for ; Fri, 17 Feb 2017 18:45:52 +0100 (CET) Received: from localhost (89-93-157-164.hfc.dyn.abo.bbox.fr [89.93.157.164]) by skaro.lepiller.eu (Postfix) with ESMTPSA id 51DDC80BDB for ; Fri, 17 Feb 2017 18:45:52 +0100 (CET) In-Reply-To: <20170217171833.iazdehmarsnpjvdm@wasp> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org On Fri, 17 Feb 2017 17:18:33 +0000 ng0 wrote: > On 17-02-17 17:37:06, Cl=C3=A9ment Lassieur wrote: > > The first patch adds PAM to OpenSSH service, and enables it by > > default. =20 >=20 > Definitely a good idea. If this is applied I think it should be > communicated if it breaks peoples configurations. On the other hand, > guix reconfigure lint already complains if an option is no longer > present. > I think notifying about certain changes if they break previous > configurations is nice to have (but not mandatory, just the way I > would do it).=20 > The code looks reasonable, I haven't applied the changes to review it. I haven't applied it either, but it looks good, thank you :) Could you also document the new fields and remove the documentation for the old one? >=20 > > This allows to log in (with a public key) if the account is locked. > > Otherwise, one would have to set up a password manually or, say, > > put '*' in /etc/shadow (with 'usermod -p'). It matters because > > accounts created by GuixSD are locked. > >=20 > > Whether to enable it by default is debatable because it is disabled > > upstream, but it is enabled on every distribution I had a look at. > >=20 > > The relevant part of the documentation is: > >=20 > > --8<---------------cut here---------------start------------->8--- > > UsePAM Enables the Pluggable Authentication Module interface. If > > set to yes this will enable PAM authentication using > > ChallengeResponseAuthentication and PasswordAuthentication > > in addition to PAM account and session module processing for all > > authentication types. > >=20 > > Because PAM challenge-response authentication usually > > serves an equivalent role to password authentication, you should > > disable either PasswordAuthentication or > > ChallengeResponseAuthentication. > >=20 > > If UsePAM is enabled, you will not be able to run sshd(8) > > as a non-root user. The default is no. > > --8<---------------cut here---------------end--------------->8--- > >=20 > > It also explains why I set ChallengeResponseAuthentication to 'no' > > by default. > >=20 > > The second patch removes the 'RSAAuthentication' option, which > > causes warnings because it is deprecated. > >=20 > > Cl=C3=A9ment Lassieur (2): > > services: openssh: Use PAM in sshd by default. > > services: openssh: remove deprecated 'RSAAuthentication' option. > >=20 > > gnu/services/ssh.scm | 24 ++++++++++++++++++------ > > 1 file changed, 18 insertions(+), 6 deletions(-) > >=20 > > --=20 > > 2.11.1 > >=20 > > =20 >=20