From: Leo Famulari <leo@famulari.name>
To: 37309@debbugs.gnu.org
Subject: bug#37309: [PATCH] services: openssh: Restrict to IPv4.
Date: Tue, 3 Dec 2019 15:12:51 -0500 [thread overview]
Message-ID: <180aa2dee4e1da7fe915c85b90b1f60edd04f23d.1575403967.git.leo@famulari.name> (raw)
In-Reply-To: <87ef0u2867.fsf@roquette.mug.biscuolo.net>
This works around <https://issues.guix.info/issue/30993>.
* gnu/services/ssh.scm (<openssh-configuration>)[address-family]: New field.
(openssh-config-file): Use it.
* doc/guix.texi: Document it.
---
doc/guix.texi | 10 ++++++++++
gnu/services/ssh.scm | 16 +++++++++++++++-
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 39eb25385c..cf0e141baf 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -13913,6 +13913,16 @@ This is a symbol specifying the logging level: @code{quiet}, @code{fatal},
@code{error}, @code{info}, @code{verbose}, @code{debug}, etc. See the man
page for @file{sshd_config} for the full list of level names.
+@item @code{address-family} (default: @code{'inet})
+This is a symbol specifying which type of internet addresses should be
+handled by @command{sshd}. The options are @code{inet} (IPv4),
+@code{inet6} (IPv6), or @code{any}, which selects both @code{inet} and
+@code{inet6}. The upstream default in @code{any}. However, we
+currently default to @code{inet} due to a nondeterministic
+@command{sshd} startup failure when using IPv6 on Guix. See
+@uref{https://issues.guix.info/issue/30993, the bug report} for more
+information on this temporary limitation.
+
@item @code{extra-content} (default: @code{""})
This field can be used to append arbitrary text to the configuration file. It
is especially useful for elaborate configurations that cannot be expressed
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index d2dbb8f80d..7e25810eff 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2019 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2019 Leo Famulari <leo@famulari.name>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -340,7 +341,16 @@ The other options should be self-descriptive."
;; proposed in <https://bugs.gnu.org/27155>. Keep it internal/undocumented
;; for now.
(%auto-start? openssh-auto-start?
- (default #t)))
+ (default #t))
+
+ ;; Symbol
+ ;; XXX: This shouldn't be required, but due to limitations with IPv6
+ ;; on Guix, sshd often fails to start when it attempts to bind to both
+ ;; 0.0.0.0 and ::, because the IPv6 interface is not ready in time.
+ ;; Accepted options are inet (IPv4), inet6 (IPv6), or any (both).
+ ;; <https://issues.guix.info/issue/30993>
+ (address-family openssh-configuration-address-family
+ (default 'inet)))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
@@ -468,6 +478,10 @@ of user-name/file-like tuples."
(symbol->string
(openssh-configuration-log-level config))))
+ (format port "AddressFamily ~a\n"
+ #$(symbol->string
+ (openssh-configuration-address-family config)))
+
;; Add '/etc/authorized_keys.d/%u', which we populate.
(format port "AuthorizedKeysFile \
.ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n")
--
2.24.0
next prev parent reply other threads:[~2019-12-03 20:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87k1da6fdb.fsf@roquette.mug.biscuolo.net>
[not found] ` <87y315t3hw.fsf@roquette.mug.biscuolo.net>
[not found] ` <87tvbhra2v.fsf@roquette.mug.biscuolo.net>
[not found] ` <87imrvhhpy.fsf@cbaines.net>
[not found] ` <874l3crjqr.fsf@roquette.mug.biscuolo.net>
[not found] ` <87k1c6p914.fsf@roquette.mug.biscuolo.net>
[not found] ` <20190817152031.GA3191@jurong>
[not found] ` <87pnkuyac0.fsf_-_@gnu.org>
[not found] ` <20190828181141.GA27765@jurong>
2019-09-05 13:18 ` bug#37309: ‘ssh-daemon’ service fails to start at boot Giovanni Biscuolo
2019-09-08 4:19 ` 宋文武
2019-11-26 18:34 ` Jelle Licht
2019-11-29 8:40 ` Giovanni Biscuolo
2019-11-29 9:51 ` Jelle Licht
2019-12-03 20:12 ` Leo Famulari [this message]
2019-12-03 21:53 ` bug#37309: [PATCH] services: openssh: Restrict to IPv4 Julien Lepiller
2019-12-04 13:41 ` Leo Famulari
2019-12-10 16:47 ` Ludovic Courtès
2020-11-27 23:00 ` bug#37309: ‘ssh-daemon’ service fails to start at boot Christopher Lemmer Webber
2020-11-28 1:08 ` Marius Bakke
2020-12-03 20:38 ` Leo Famulari
2020-12-03 21:56 ` Christopher Lemmer Webber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=180aa2dee4e1da7fe915c85b90b1f60edd04f23d.1575403967.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=37309@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.