From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
Subject: [PATCH 0/2] Openssh service patches
Date: Fri, 17 Feb 2017 17:37:06 +0100
Message-ID: <20170217163708.10743-1-clement@lassieur.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56494)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <clement@lassieur.org>) id 1celXF-0004ys-UX
	for guix-devel@gnu.org; Fri, 17 Feb 2017 11:37:31 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <clement@lassieur.org>) id 1celXC-0002lK-SU
	for guix-devel@gnu.org; Fri, 17 Feb 2017 11:37:29 -0500
Received: from mail.lassieur.org ([83.152.10.219]:60194)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <clement@lassieur.org>)
	id 1celXC-0002jL-KS
	for guix-devel@gnu.org; Fri, 17 Feb 2017 11:37:26 -0500
Received: from localhost.localdomain (unknown [88.191.118.83])
	by mail.lassieur.org (Postfix) with ESMTPSA id 1FB58640107
	for <guix-devel@gnu.org>; Fri, 17 Feb 2017 17:37:22 +0100 (CET)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

The first patch adds PAM to OpenSSH service, and enables it by default.

This allows to log in (with a public key) if the account is locked.
Otherwise, one would have to set up a password manually or, say, put '*' =
in
/etc/shadow (with 'usermod -p').  It matters because accounts created by
GuixSD are locked.

Whether to enable it by default is debatable because it is disabled upstr=
eam,
but it is enabled on every distribution I had a look at.

The relevant part of the documentation is:

--8<---------------cut here---------------start------------->8---
UsePAM  Enables the Pluggable Authentication Module interface.  If set to
        yes this will enable PAM authentication using
        ChallengeResponseAuthentication and PasswordAuthentication in
        addition to PAM account and session module processing for all
        authentication types.

        Because PAM challenge-response authentication usually serves an
        equivalent role to password authentication, you should disable
        either PasswordAuthentication or ChallengeResponseAuthentication.

        If UsePAM is enabled, you will not be able to run sshd(8) as a
        non-root user.  The default is no.
--8<---------------cut here---------------end--------------->8---

It also explains why I set ChallengeResponseAuthentication to 'no' by def=
ault.

The second patch removes the 'RSAAuthentication' option, which causes war=
nings
because it is deprecated.

Cl=C3=A9ment Lassieur (2):
  services: openssh: Use PAM in sshd by default.
  services: openssh: remove deprecated 'RSAAuthentication' option.

 gnu/services/ssh.scm | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

--=20
2.11.1