From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= Subject: [PATCH 1/3] services: openssh: Enable PAM. Date: Thu, 2 Mar 2017 22:06:27 +0100 Message-ID: <20170302210629.6274-1-clement@lassieur.org> References: <87efyfxufb.fsf@lassieur.org> Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:52400) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cjXw2-00013f-Fg for guix-devel@gnu.org; Thu, 02 Mar 2017 16:06:51 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjXvz-0006fg-B5 for guix-devel@gnu.org; Thu, 02 Mar 2017 16:06:50 -0500 Received: from mail.lassieur.org ([83.152.10.219]:36814) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cjXvz-0006en-1D for guix-devel@gnu.org; Thu, 02 Mar 2017 16:06:47 -0500 Received: from localhost.localdomain (unknown [88.191.118.83]) by mail.lassieur.org (Postfix) with ESMTPSA id D105F6401EF for ; Thu, 2 Mar 2017 22:06:43 +0100 (CET) In-Reply-To: <87efyfxufb.fsf@lassieur.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/services/ssh.scm: (openssh-pam-services): New procedure. (openssh-service-type): Use it to extend PAM-ROOT-SERVICE-TYPE. ()[challenge-response-authentication?]: New field. ()[use-pam?]: New field. (openssh-config-file): Add them. * doc/guix.texi (Networking Services): Document them. --- doc/guix.texi | 16 ++++++++++++++++ gnu/services/ssh.scm | 21 ++++++++++++++++++++- 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index be11096a4..e07c2437a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9170,6 +9170,22 @@ enabled---in other words, @command{ssh} options @option{-X} and @item @code{protocol-number} (default: @code{2}) The SSH protocol number to use. + +@item @code{challenge-response-authentication?} (default: @code{#f}) +Specifies whether challenge response authentication is allowed (e.g. via +PAM). + +@item @code{use-pam?} (default: @code{#t}) +Enables the Pluggable Authentication Module interface. If set to +@code{#t}, this will enable PAM authentication using +@code{challenge-response-authentication?} and +@code{password-authentication?}, in addition to PAM account and session +module processing for all authentication types. + +Because PAM challenge response authentication usually serves an +equivalent role to password authentication, you should disable either +@code{challenge-response-authentication?} or +@code{password-authentication?}. @end table @end deftp diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 7b2d4a8f0..d5942e6e5 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -277,7 +277,11 @@ The other options should be self-descriptive." (x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean (default #f)) (protocol-number openssh-configuration-protocol-number ;integer - (default 2))) + (default 2)) + (challenge-response-authentication? openssh-challenge-response-authentication? + (default #f)) ;Boolean + (use-pam? openssh-configuration-use-pam? + (default #t))) ;Boolean (define %openssh-accounts (list (user-group (name "sshd") (system? #t)) @@ -333,6 +337,12 @@ The other options should be self-descriptive." "yes" "no")) (format port "PidFile ~a\n" #$(openssh-configuration-pid-file config)) + (format port "ChallengeResponseAuthentication ~a\n" + #$(if (openssh-challenge-response-authentication? config) + "yes" "no")) + (format port "UsePAM ~a\n" + #$(if (openssh-configuration-use-pam? config) + "yes" "no")) #t)))) (define (openssh-shepherd-service config) @@ -353,11 +363,20 @@ The other options should be self-descriptive." #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) +(define (openssh-pam-services config) + "Return a list of for sshd with CONFIG." + (list (unix-pam-service + "sshd" + #:allow-empty-passwords? + (openssh-configuration-allow-empty-passwords? config)))) + (define openssh-service-type (service-type (name 'openssh) (extensions (list (service-extension shepherd-root-service-type openssh-shepherd-service) + (service-extension pam-root-service-type + openssh-pam-services) (service-extension activation-service-type openssh-activation) (service-extension account-service-type -- 2.12.0