Re: [PATCH 2/2] services: Add 'dropbear-service'.

[Leo Famulari <leo@famulari.name>]

On Mon, Jul 04, 2016 at 10:56:16PM +0200, David Craven wrote:
> * gnu/services/ssh.scm (dropbear-service, ...): New variables.
> * doc/guix.texi: New node.

I noticed in another thread you said something like "dropbear-service
[...] works without rngd service" [0]. Can you clarify what you mean?
Do you mean that it does not have the same behavior as LSH, which waits
for *something* before deciding it has enough entropy to create a host
key?

If so, what does Dropbear do? How does it get random numbers to generate
the host key?

I ask because, in my opinion, LSH's behaviour is annoying but desired.
Generating keys immediately after first boot without taking special care
of the kernel's RNG is, in my limited understanding, not a good idea.

[0]
https://lists.gnu.org/archive/html/help-guix/2016-07/msg00061.html

> ---
>  doc/guix.texi        |  25 ++++++++++++-
>  gnu/services/ssh.scm | 104 +++++++++++++++++++++++++++++++++++++++++++++++++--
>  2 files changed, 124 insertions(+), 5 deletions(-)
> 
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 62c0d34..377004f 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -7695,7 +7695,7 @@ In addition, @var{extra-settings} specifies a string to append to the
>  configuration file.
>  @end deffn
>  
> -Furthermore, @code{(gnu services ssh)} provides the following service.
> +Furthermore, @code{(gnu services ssh)} provides the following services.
>  
>  @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
>         [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
> @@ -7733,6 +7733,29 @@ root.
>  The other options should be self-descriptive.
>  @end deffn
>  
> +@deffn {Scheme Procedure} dropbear-service [#:host-key "/etc/dropbear/dropbear_ecdsa_host-key"] @
> +       [#:port-number 22] [#:allow-empty-passwords? #f] @
> +       [#:root-login? #f] [#:password-authentication? #t] @
> +       [#:syslog-output? #t] [#:initialize? #t]
> +Run the @command{dropbear} program from @var{dropbear} to listen on port @var{port-number}.
> +@var{host-key} must designate a file containing the host key, and readable
> +only by root.
> +
> +By default dropbear logs its output to syslogd, unless one sets
> +@var{syslog-output?} to false. This also makes dropbear-service depend
> +on existence of syslogd service.
> +
> +When @var{initialize?} is true, @command{dropbear} automatically generates the
> +host key upon service activation if it does not exist yet.
> +When @var{initialize?} is false, it is up to create a key pair with the private
> +key stored in file @var{host-key}. For more information consult the
> +@command{dropbearkey} man pages.
> +
> +@var{allow-empty-passwords?} specifies whether to accept log-ins with empty
> +passwords, and @var{root-login?} specifies whether to accept log-ins as
> +root.
> +@end deffn
> +
>  @defvr {Scheme Variable} %facebook-host-aliases
>  This variable contains a string for use in @file{/etc/hosts}
>  (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}).  Each
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 1eb9382..13a5df1 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -17,14 +17,15 @@
>  ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
>  
>  (define-module (gnu services ssh)
> -  #:use-module (guix gexp)
> -  #:use-module (guix records)
> +  #:use-module (gnu packages ssh)
>    #:use-module (gnu services)
>    #:use-module (gnu services shepherd)
>    #:use-module (gnu system pam)
> -  #:use-module (gnu packages ssh)
> +  #:use-module (guix gexp)
> +  #:use-module (guix records)
>    #:use-module (srfi srfi-26)
> -  #:export (lsh-service))
> +  #:export (dropbear-service
> +            lsh-service))
>  
>  ;;; Commentary:
>  ;;;
> @@ -235,4 +236,99 @@ The other options should be self-descriptive."
>                                 public-key-authentication?)
>                                (initialize? initialize?))))
>  
> +;;;
> +;;; Dropbear ssh server
> +;;;
> +
> +(define-record-type* <dropbear-configuration>
> +  dropbear-configuration make-dropbear-configuration
> +  dropbear-configuration?
> +  (dropbear dropbear-configuration-dropbear
> +            (default dropbear))
> +  (host-key dropbear-configuration-host-key)
> +  (port-number dropbear-configuration-port-number)
> +  (syslog-output? dropbear-configuration-syslog-output?)
> +  (pid-file dropbear-configuration-pid-file)
> +  (root-login? dropbear-configuration-root-login?)
> +  (allow-empty-passwords? dropbear-configuration-allow-empty-passwords?)
> +  (password-authentication? dropbear-configuration-password-authentication?)
> +  (initialize? dropbear-configuration-initialize?))
> +
> +(define (dropbear-initialization dropbear host-key)
> +  "Return the gexp to initialize the dropbear service for HOST-KEY."
> +  #~(begin
> +    (unless (file-exists? #$host-key)
> +      (mkdir-p (dirname #$host-key))
> +      (format #t "creating SSH host key '~a'...~%" #$host-key)
> +      (system* (string-append #$dropbear "/bin/dropbearkey")
> +                "-t" "ecdsa" "-f" #$host-key))))
> +
> +(define (dropbear-activation config)
> +  "Return the activation gexp for CONFIG."
> +  #~(begin
> +      #$(if (dropbear-configuration-initialize? config)
> +            (dropbear-initialization
> +              (dropbear-configuration-dropbear config)
> +              (dropbear-configuration-host-key config))
> +            #t)))
> +
> +(define (dropbear-shepherd-service config)
> +  "Return a <shepherd-service> for dropbear with CONFIG."
> +  (define dropbear (dropbear-configuration-dropbear config))
> +
> +  (define dropbear-command
> +    (append
> +      (list
> +        #~(string-append #$dropbear "/sbin/dropbear") "-F"
> +        "-p" (number->string (dropbear-configuration-port-number config))
> +        "-P" (dropbear-configuration-pid-file config)
> +        "-r" (dropbear-configuration-host-key config))
> +      (if (dropbear-configuration-syslog-output? config) '() '("-E"))
> +      (if (dropbear-configuration-root-login? config) '() '("-w"))
> +      (if (dropbear-configuration-password-authentication? config) '() '("-s" "-g"))
> +      (if (dropbear-configuration-allow-empty-passwords? config) '("-B") '())))
> +
> +  (define requires
> +    (if (dropbear-configuration-syslog-output? config)
> +        '(networking syslogd)
> +        '(networking)))
> +
> +  (list (shepherd-service
> +    (documentation "Dropbear ssh server")
> +    (requirement requires)
> +    (provision '(ssh-daemon))
> +    (start #~(make-forkexec-constructor #$@dropbear-command))
> +    (stop #~(make-kill-destructor)))))
> +
> +(define dropbear-service-type
> +  (service-type (name 'dropbear)
> +    (extensions
> +      (list (service-extension shepherd-root-service-type
> +                               dropbear-shepherd-service)
> +            (service-extension activation-service-type
> +                               dropbear-activation)))))
> +
> +(define* (dropbear-service #:key
> +  (dropbear dropbear)
> +  (host-key "/etc/dropbear/dropbear_ecdsa_host_key")
> +  (port-number 22)
> +  (allow-empty-passwords? #f)
> +  (root-login? #f)
> +  (syslog-output? #t)
> +  (pid-file "/var/run/dropbear.pid")
> +  (password-authentication? #t)
> +  (initialize? #t))
> +  "Run the @command{dropbear} daemon from @var{dropbear} to start a ssh server."
> +  (service dropbear-service-type
> +    (dropbear-configuration
> +      (dropbear dropbear)
> +      (host-key host-key)
> +      (port-number port-number)
> +      (allow-empty-passwords? allow-empty-passwords?)
> +      (root-login? root-login?)
> +      (syslog-output? syslog-output?)
> +      (pid-file pid-file)
> +      (password-authentication? password-authentication?)
> +      (initialize? initialize?))))
> +
>  ;;; ssh.scm ends here
> -- 
> 2.9.0
>