From mboxrd@z Thu Jan 1 00:00:00 1970 From: Julien Lepiller Subject: Re: [PATCH] openssh service Date: Mon, 26 Sep 2016 18:42:19 +0200 Message-ID: <20160926184219.56cfe149@polymos> References: <20160805141840.447dd381@polymos> <87oa57jpix.fsf@igalia.com> <20160805162049.491063d9@polymos> <20160819160335.3ed70813@polymos> <20160819163125.0be91283@polymos> <8737lrby5v.fsf@igalia.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/oGwg+P9O9ZI+mv.21CO.tbt" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37030) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boYyH-0004Fg-Fk for guix-devel@gnu.org; Mon, 26 Sep 2016 12:41:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1boYyD-00023G-9I for guix-devel@gnu.org; Mon, 26 Sep 2016 12:41:37 -0400 Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr ([89.91.205.84]:49656 helo=skaro.lepiller.eu) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1boYyC-00021x-Lw for guix-devel@gnu.org; Mon, 26 Sep 2016 12:41:33 -0400 Received: from localhost (localhost [127.0.0.1]) by skaro.lepiller.eu (Postfix) with ESMTP id 11DEE7FB52 for ; Mon, 26 Sep 2016 18:40:52 +0200 (CEST) Received: from skaro.lepiller.eu ([127.0.0.1]) by localhost (skaro.lepiller.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oq6Og-xmUNyT for ; Mon, 26 Sep 2016 18:40:45 +0200 (CEST) Received: from polymos (bbox.lan [192.168.1.254]) by skaro.lepiller.eu (Postfix) with ESMTPSA id 51D8F7FABD for ; Mon, 26 Sep 2016 18:40:45 +0200 (CEST) In-Reply-To: <8737lrby5v.fsf@igalia.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel --MP_/oGwg+P9O9ZI+mv.21CO.tbt Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Fri, 26 Aug 2016 12:51:56 +0200 Andy Wingo wrote: > Hi Julien, > > Thanks for the documentation update! > > On Fri 19 Aug 2016 16:31, Julien Lepiller writes: > > > +@deffn {Scheme Procedure} openssh-service [#:pidfile > > "/var/run/sshd.pid"] @ > > + [#:port-number 22] [#:root-login "without-password"] @ > > + [#:allow-empty-passwords #f] [#:password-authentication? > > #t] @ > > + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ > > + [#:x11-forwarding? #f] [#:protocol-number "2"] > > +"Run the @command{sshd} program from @var{openssh} on port > > @var{port-number}. +@command{sshd} runs an ssh daemon and writes > > its PID to @var{pidfile}. It +understands ssh protocol > > @var{protocol-number}. The @var{protocol-number} can +be one of > > \"1\", \"2\" or \"1,2\". + > > +@var{PermitRootLogin} takes one of @var{yes}, > > @var{without-password} and +@var{no}. It is used to allow root > > login through ssh. @var{without-password} +means that root login is > > allowed, except when loging with a password (eg: a +public key). > > The variable needs to be changed to @var{root-login} (and I think > probably @var{permit-root-login} would be more expected), and probably > "without-password" should be a symbol rather than a string. In > general I think naming the keywords after the upstream options is > going to be the least confusing thing for users. Consider changing > from yes/no/without-password to #t/#f/without-password, and renaming > the option to #:permit-root-login?. Consider requiring that the > protocol number be either 1 or 2. In general we want to make errors > happen early, when building the OS, rather than when the OS is booted. Sorry for the delay, here is a new version of the patch. Meanwhile, sysconfdir was set to /etc, but I changed this for /etc/ssh, because openssh looks for its configuration and other files (about 10) directly in sysconfdir, not a subdirectory. Also, I fixed a mistake in openssh-service (it was not following what the doc said). > > WDYT? > > Andy --MP_/oGwg+P9O9ZI+mv.21CO.tbt Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-services-Add-openssh.patch >From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001 From: Julien Lepiller Date: Fri, 5 Aug 2016 15:20:15 +0200 Subject: [PATCH] services: Add openssh * gnu/packages/ssh.scm: Openssh reads its configuration from /etc * gnu/services/ssh.scm: Add openssh-service * doc/guix.texi (Networking Services): Document 'openssh-services'. --- doc/guix.texi | 34 ++++++++++++++ gnu/packages/ssh.scm | 2 +- gnu/services/ssh.scm | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 161 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 808fbdc..bcd8b6b 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8199,6 +8199,40 @@ root. The other options should be self-descriptive. @end deffn +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @ + [#:port-number 22] [#:permit-root-login 'without-password] @ + [#:allow-empty-passwords #f] [#:password-authentication? #t] @ + [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ + [#:x11-forwarding? #f] [#:protocol-number "2"] +"Run the @command{sshd} program from @var{openssh} on port @var{port-number}. +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can +be either 1 or 2. + +@var{permit-root-login} takes one of @var{yes}, @var{without-password} and +@var{no}. It is used to allow root login through ssh. @var{without-password} +means that root login is allowed, except when loging with a password (eg: a +public key). + +When @var{allow-empty-passwords?} is true, users with empty passwords may log +in. When false, they may not. + +When @var{password-authentication?} is true, users may log in with their +password. When false, they have to use other means of authentication. + +When @var{pubkey-authentication?} is true, users may log in using public key +authentication. When false, users have to use other means of authentication. +Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only +by protocol 2. + +When @var{rsa-authentication?} is true, users may log in using pure RSA +authentication. When false, users have to use other means of authentication. +This is used only by protocol 1. + +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work. + +@end deffn + @deffn {Scheme Procedure} dropbear-service [@var{config}] Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{} diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm index b2612a4..88bfd06 100644 --- a/gnu/packages/ssh.scm +++ b/gnu/packages/ssh.scm @@ -144,7 +144,7 @@ a server that supports the SSH-2 protocol.") ("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y' (arguments `(#:test-target "tests" - #:configure-flags '("--sysconfdir=/etc" + #:configure-flags '("--sysconfdir=/etc/ssh" ;; Default value of 'PATH' used by sshd. "--with-default-path=/run/current-system/profile/bin" diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 462988c..5484463 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -19,9 +19,11 @@ (define-module (gnu services ssh) #:use-module (gnu packages ssh) + #:use-module (gnu packages admin) #:use-module (gnu services) #:use-module (gnu services shepherd) #:use-module (gnu system pam) + #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix records) #:use-module (srfi srfi-26) @@ -30,6 +32,11 @@ lsh-service lsh-service-type + openssh-configuration + openssh-configuration? + openssh-service-type + openssh-service + dropbear-configuration dropbear-configuration? dropbear-service-type @@ -244,7 +251,125 @@ The other options should be self-descriptive." public-key-authentication?) (initialize? initialize?)))) - +;;; +;;; OpenSSH. +;;; + +(define-record-type* + openssh-configuration make-openssh-configuration + openssh-configuration? + (pidfile openssh-configuration-pidfile) + (port-number openssh-configuration-port-number) + (permit-root-login? openssh-configuration-permit-root-login) + (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) + (password-authentication? openssh-configuration-password-authentication?) + (pubkey-authentication? openssh-configuration-pubkey-authentication?) + (rsa-authentication? openssh-configuration-rsa-authentication?) + (x11-forwarding? openssh-configuration-x11-forwarding?) + (protocol-number openssh-configuration-protocol-number)) + +(define %openssh-accounts + (list (user-group (name "sshd") (system? #t)) + (user-account + (name "sshd") + (group "sshd") + (system? #t) + (comment "sshd privilege separation user") + (home-directory "/var/run/sshd") + (shell #~(string-append #$shadow "/sbin/nologin"))))) + +(define (openssh-activation config) + "Return the activation GEXP for CONFIG." + #~(begin + (mkdir-p "/etc/ssh") + (mkdir-p (basename #$(openssh-configuration-pidfile config))) + (system* (string-append #$openssh "/bin/ssh-keygen") "-A") + (call-with-output-file "/etc/ssh/sshd_config" + (lambda (port) + (display + "# Generated by 'openssh-service'.\n" + port) + (format port "Protocol ~a\n" + #$(if (eq? (openssh-configuration-protocol-number config) 1) + "1" "2")) + (format port "Port ~a\n" + #$(number->string (openssh-configuration-port-number config))) + (format port "PermitRootLogin ~a\n" + #$(if (eq? (openssh-configuration-permit-root-login config) #t) + "yes" (if (eq? + (openssh-configuration-permit-root-login config) + #f) + "no" "without-password"))) + (format port "PermitEmptyPasswords ~a\n" + #$(if (openssh-configuration-allow-empty-passwords? config) + "yes" "no")) + (format port "PasswordAuthentication ~a\n" + #$(if (openssh-configuration-password-authentication? config) + "yes" "no")) + (format port "PubkeyAuthentication ~a\n" + #$(if (openssh-configuration-pubkey-authentication? config) + "yes" "no")) + (format port "RSAAuthentication ~a\n" + #$(if (openssh-configuration-rsa-authentication? config) + "yes" "no")) + (format port "X11Forwarding ~a\n" + #$(if (openssh-configuration-x11-forwarding? config) + "yes" "no")) + (format port "PidFile ~a\n" + #$(openssh-configuration-pidfile config)))))) + +(define (openssh-shepherd-service config) + "Return a for openssh with CONFIG." + + (define pid-file + (openssh-configuration-pidfile config)) + + (define openssh-command + #~(list (string-append #$openssh "/sbin/sshd") + "-D")) + + (define requires + '(networking syslogd)) + + (list (shepherd-service + (documentation "Openssh SSH server.") + (requirement requires) + (provision '(ssh-daemon)) + (start #~(make-forkexec-constructor #$openssh-command + #:pid-file #$pid-file)) + (stop #~(make-kill-destructor))))) + +(define openssh-service-type + (service-type (name 'openssh) + (extensions + (list (service-extension shepherd-root-service-type + openssh-shepherd-service) + (service-extension activation-service-type + openssh-activation) + (service-extension account-service-type + (const %openssh-accounts)))))) + +(define* (openssh-service #:key + (pidfile "/var/run/sshd.pid") + (port-number 22) + (permit-root-login? 'without-password) + (allow-empty-passwords? #f) + (password-authentication? #t) + (pubkey-authentication? #t) + (rsa-authentication? #t) + (x11-forwarding? #f) + (protocol-number 2)) + (service openssh-service-type (openssh-configuration (pidfile pidfile) + (port-number port-number) + (permit-root-login? permit-root-login?) + (allow-empty-passwords? allow-empty-passwords?) + (password-authentication? password-authentication?) + (pubkey-authentication? pubkey-authentication?) + (rsa-authentication? rsa-authentication?) + (x11-forwarding? x11-forwarding?) + (protocol-number protocol-number)))) + + ;;; ;;; Dropbear. ;;; -- 2.10.0 --MP_/oGwg+P9O9ZI+mv.21CO.tbt--