From: Leo Famulari <leo@famulari.name>
To: David Craven <david@craven.ch>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH 2/2] services: Add 'dropbear-service'.
Date: Thu, 7 Jul 2016 13:25:17 -0400 [thread overview]
Message-ID: <20160707172517.GA5283@jasmine> (raw)
In-Reply-To: <20160704205616.11599-2-david@craven.ch>
On Mon, Jul 04, 2016 at 10:56:16PM +0200, David Craven wrote:
> * gnu/services/ssh.scm (dropbear-service, ...): New variables.
> * doc/guix.texi: New node.
I noticed in another thread you said something like "dropbear-service
[...] works without rngd service" [0]. Can you clarify what you mean?
Do you mean that it does not have the same behavior as LSH, which waits
for *something* before deciding it has enough entropy to create a host
key?
If so, what does Dropbear do? How does it get random numbers to generate
the host key?
I ask because, in my opinion, LSH's behaviour is annoying but desired.
Generating keys immediately after first boot without taking special care
of the kernel's RNG is, in my limited understanding, not a good idea.
[0]
https://lists.gnu.org/archive/html/help-guix/2016-07/msg00061.html
> ---
> doc/guix.texi | 25 ++++++++++++-
> gnu/services/ssh.scm | 104 +++++++++++++++++++++++++++++++++++++++++++++++++--
> 2 files changed, 124 insertions(+), 5 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index 62c0d34..377004f 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -7695,7 +7695,7 @@ In addition, @var{extra-settings} specifies a string to append to the
> configuration file.
> @end deffn
>
> -Furthermore, @code{(gnu services ssh)} provides the following service.
> +Furthermore, @code{(gnu services ssh)} provides the following services.
>
> @deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @
> [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @
> @@ -7733,6 +7733,29 @@ root.
> The other options should be self-descriptive.
> @end deffn
>
> +@deffn {Scheme Procedure} dropbear-service [#:host-key "/etc/dropbear/dropbear_ecdsa_host-key"] @
> + [#:port-number 22] [#:allow-empty-passwords? #f] @
> + [#:root-login? #f] [#:password-authentication? #t] @
> + [#:syslog-output? #t] [#:initialize? #t]
> +Run the @command{dropbear} program from @var{dropbear} to listen on port @var{port-number}.
> +@var{host-key} must designate a file containing the host key, and readable
> +only by root.
> +
> +By default dropbear logs its output to syslogd, unless one sets
> +@var{syslog-output?} to false. This also makes dropbear-service depend
> +on existence of syslogd service.
> +
> +When @var{initialize?} is true, @command{dropbear} automatically generates the
> +host key upon service activation if it does not exist yet.
> +When @var{initialize?} is false, it is up to create a key pair with the private
> +key stored in file @var{host-key}. For more information consult the
> +@command{dropbearkey} man pages.
> +
> +@var{allow-empty-passwords?} specifies whether to accept log-ins with empty
> +passwords, and @var{root-login?} specifies whether to accept log-ins as
> +root.
> +@end deffn
> +
> @defvr {Scheme Variable} %facebook-host-aliases
> This variable contains a string for use in @file{/etc/hosts}
> (@pxref{Host Names,,, libc, The GNU C Library Reference Manual}). Each
> diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
> index 1eb9382..13a5df1 100644
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -17,14 +17,15 @@
> ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
>
> (define-module (gnu services ssh)
> - #:use-module (guix gexp)
> - #:use-module (guix records)
> + #:use-module (gnu packages ssh)
> #:use-module (gnu services)
> #:use-module (gnu services shepherd)
> #:use-module (gnu system pam)
> - #:use-module (gnu packages ssh)
> + #:use-module (guix gexp)
> + #:use-module (guix records)
> #:use-module (srfi srfi-26)
> - #:export (lsh-service))
> + #:export (dropbear-service
> + lsh-service))
>
> ;;; Commentary:
> ;;;
> @@ -235,4 +236,99 @@ The other options should be self-descriptive."
> public-key-authentication?)
> (initialize? initialize?))))
>
> +;;;
> +;;; Dropbear ssh server
> +;;;
> +
> +(define-record-type* <dropbear-configuration>
> + dropbear-configuration make-dropbear-configuration
> + dropbear-configuration?
> + (dropbear dropbear-configuration-dropbear
> + (default dropbear))
> + (host-key dropbear-configuration-host-key)
> + (port-number dropbear-configuration-port-number)
> + (syslog-output? dropbear-configuration-syslog-output?)
> + (pid-file dropbear-configuration-pid-file)
> + (root-login? dropbear-configuration-root-login?)
> + (allow-empty-passwords? dropbear-configuration-allow-empty-passwords?)
> + (password-authentication? dropbear-configuration-password-authentication?)
> + (initialize? dropbear-configuration-initialize?))
> +
> +(define (dropbear-initialization dropbear host-key)
> + "Return the gexp to initialize the dropbear service for HOST-KEY."
> + #~(begin
> + (unless (file-exists? #$host-key)
> + (mkdir-p (dirname #$host-key))
> + (format #t "creating SSH host key '~a'...~%" #$host-key)
> + (system* (string-append #$dropbear "/bin/dropbearkey")
> + "-t" "ecdsa" "-f" #$host-key))))
> +
> +(define (dropbear-activation config)
> + "Return the activation gexp for CONFIG."
> + #~(begin
> + #$(if (dropbear-configuration-initialize? config)
> + (dropbear-initialization
> + (dropbear-configuration-dropbear config)
> + (dropbear-configuration-host-key config))
> + #t)))
> +
> +(define (dropbear-shepherd-service config)
> + "Return a <shepherd-service> for dropbear with CONFIG."
> + (define dropbear (dropbear-configuration-dropbear config))
> +
> + (define dropbear-command
> + (append
> + (list
> + #~(string-append #$dropbear "/sbin/dropbear") "-F"
> + "-p" (number->string (dropbear-configuration-port-number config))
> + "-P" (dropbear-configuration-pid-file config)
> + "-r" (dropbear-configuration-host-key config))
> + (if (dropbear-configuration-syslog-output? config) '() '("-E"))
> + (if (dropbear-configuration-root-login? config) '() '("-w"))
> + (if (dropbear-configuration-password-authentication? config) '() '("-s" "-g"))
> + (if (dropbear-configuration-allow-empty-passwords? config) '("-B") '())))
> +
> + (define requires
> + (if (dropbear-configuration-syslog-output? config)
> + '(networking syslogd)
> + '(networking)))
> +
> + (list (shepherd-service
> + (documentation "Dropbear ssh server")
> + (requirement requires)
> + (provision '(ssh-daemon))
> + (start #~(make-forkexec-constructor #$@dropbear-command))
> + (stop #~(make-kill-destructor)))))
> +
> +(define dropbear-service-type
> + (service-type (name 'dropbear)
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + dropbear-shepherd-service)
> + (service-extension activation-service-type
> + dropbear-activation)))))
> +
> +(define* (dropbear-service #:key
> + (dropbear dropbear)
> + (host-key "/etc/dropbear/dropbear_ecdsa_host_key")
> + (port-number 22)
> + (allow-empty-passwords? #f)
> + (root-login? #f)
> + (syslog-output? #t)
> + (pid-file "/var/run/dropbear.pid")
> + (password-authentication? #t)
> + (initialize? #t))
> + "Run the @command{dropbear} daemon from @var{dropbear} to start a ssh server."
> + (service dropbear-service-type
> + (dropbear-configuration
> + (dropbear dropbear)
> + (host-key host-key)
> + (port-number port-number)
> + (allow-empty-passwords? allow-empty-passwords?)
> + (root-login? root-login?)
> + (syslog-output? syslog-output?)
> + (pid-file pid-file)
> + (password-authentication? password-authentication?)
> + (initialize? initialize?))))
> +
> ;;; ssh.scm ends here
> --
> 2.9.0
>
next prev parent reply other threads:[~2016-07-07 17:25 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-04 20:56 [PATCH 1/2] gnu: lsh: Move to (gnu packages ssh) David Craven
2016-07-04 20:56 ` [PATCH 2/2] services: Add 'dropbear-service' David Craven
2016-07-07 17:25 ` Leo Famulari [this message]
2016-07-07 17:54 ` David Craven
2016-07-09 14:39 ` David Craven
2016-07-09 18:32 ` Leo Famulari
2016-07-09 21:31 ` David Craven
2016-07-09 22:41 ` Leo Famulari
2016-07-09 22:43 ` Leo Famulari
2016-07-09 23:03 ` David Craven
2016-07-09 23:34 ` David Craven
2016-07-11 8:33 ` Ludovic Courtès
2016-07-13 13:09 ` David Craven
2016-07-13 15:58 ` David Craven
2016-07-13 16:25 ` David Craven
2016-07-05 6:01 ` [PATCH 1/2] gnu: lsh: Move to (gnu packages ssh) Efraim Flashner
2016-07-05 6:24 ` Efraim Flashner
2016-07-05 11:47 ` David Craven
-- strict thread matches above, loose matches on Subject: below --
2016-07-13 16:13 [PATCH 0/2] Dropbear service take two David Craven
2016-07-13 16:13 ` [PATCH 2/2] services: Add 'dropbear-service' David Craven
2016-07-15 16:00 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160707172517.GA5283@jasmine \
--to=leo@famulari.name \
--cc=david@craven.ch \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.