From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:56255) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1icFRu-0006h2-HR for guix-patches@gnu.org; Tue, 03 Dec 2019 16:11:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1icFRo-0004r2-Ht for guix-patches@gnu.org; Tue, 03 Dec 2019 16:11:07 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:35154) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1icFRo-0004mN-Da for guix-patches@gnu.org; Tue, 03 Dec 2019 16:11:04 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1icFRm-0006vQ-99 for guix-patches@gnu.org; Tue, 03 Dec 2019 16:11:02 -0500 Subject: [bug#38478] [PATCH 0/4] "guix deploy" authenticates SSH servers [security] Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:54432) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1icFR4-0006Mc-E9 for guix-patches@gnu.org; Tue, 03 Dec 2019 16:10:21 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Tue, 3 Dec 2019 22:09:58 +0100 Message-Id: <20191203210958.20936-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 38478@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Hi! This series allow users to specify the remote host key in used for “guix deploy”, so you can have that under version control and entirely managed by Guix, like “guix offload” does. The second patch fixes a security issue: ‘open-ssh-session’ from (guix ssh), which is used by “guix deploy” and support for “GUIX_DAEMON_SOCKET=ssh://…” in (guix store ssh), would not authenticate the server it’s talking to. Feedback welcome! Ludo’. Ludovic Courtès (4): ssh: Add 'authenticate-server*' and use it for offloading. ssh: Always authenticate the server [security fix]. ssh: 'open-ssh-session' can be passed the expected host key. machine: ssh: can include the host key. doc/guix.texi | 12 +++++++ gnu/machine/ssh.scm | 9 ++++-- guix/scripts/offload.scm | 30 ++--------------- guix/ssh.scm | 69 ++++++++++++++++++++++++++++++++++++++-- 4 files changed, 87 insertions(+), 33 deletions(-) -- 2.24.0