From mboxrd@z Thu Jan  1 00:00:00 1970
From: Julien Lepiller <julien@lepiller.eu>
Subject: Re: [PATCH 0/2] Openssh service patches
Date: Fri, 17 Feb 2017 18:45:29 +0100
Message-ID: <20170217184529.3a610d81@lepiller.eu>
References: <20170217163708.10743-1-clement@lassieur.org>
	<20170217171833.iazdehmarsnpjvdm@wasp>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44757)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <julien@lepiller.eu>) id 1cembc-0008L4-HN
	for guix-devel@gnu.org; Fri, 17 Feb 2017 12:46:05 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <julien@lepiller.eu>) id 1cembY-0005nJ-Jj
	for guix-devel@gnu.org; Fri, 17 Feb 2017 12:46:04 -0500
Received: from dau94-h03-89-91-205-84.dsl.sta.abo.bbox.fr
	([89.91.205.84]:48431 helo=skaro.lepiller.eu)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <julien@lepiller.eu>) id 1cembY-0005n1-5v
	for guix-devel@gnu.org; Fri, 17 Feb 2017 12:46:00 -0500
Received: from localhost (localhost [127.0.0.1])
	by skaro.lepiller.eu (Postfix) with ESMTP id 417A881197
	for <guix-devel@gnu.org>; Fri, 17 Feb 2017 18:45:57 +0100 (CET)
Received: from skaro.lepiller.eu ([127.0.0.1])
	by localhost (lepiller.eu [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ocxZWYYQBw7Z for <guix-devel@gnu.org>;
	Fri, 17 Feb 2017 18:45:52 +0100 (CET)
Received: from localhost (89-93-157-164.hfc.dyn.abo.bbox.fr [89.93.157.164])
	by skaro.lepiller.eu (Postfix) with ESMTPSA id 51DDC80BDB
	for <guix-devel@gnu.org>; Fri, 17 Feb 2017 18:45:52 +0100 (CET)
In-Reply-To: <20170217171833.iazdehmarsnpjvdm@wasp>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

On Fri, 17 Feb 2017 17:18:33 +0000
ng0 <contact.ng0@cryptolab.net> wrote:

> On 17-02-17 17:37:06, Cl=C3=A9ment Lassieur wrote:
> > The first patch adds PAM to OpenSSH service, and enables it by
> > default. =20
>=20
> Definitely a good idea. If this is applied I think it should be
> communicated if it breaks peoples configurations. On the other hand,
> guix reconfigure lint already complains if an option is no longer
> present.
> I think notifying about certain changes if they break previous
> configurations is nice to have (but not mandatory, just the way I
> would do it).=20
> The code looks reasonable, I haven't applied the changes to review it.

I haven't applied it either, but it looks good, thank you :)

Could you also document the new fields and remove the documentation for
the old one?

>=20
> > This allows to log in (with a public key) if the account is locked.
> > Otherwise, one would have to set up a password manually or, say,
> > put '*' in /etc/shadow (with 'usermod -p').  It matters because
> > accounts created by GuixSD are locked.
> >=20
> > Whether to enable it by default is debatable because it is disabled
> > upstream, but it is enabled on every distribution I had a look at.
> >=20
> > The relevant part of the documentation is:
> >=20
> > --8<---------------cut here---------------start------------->8---
> > UsePAM  Enables the Pluggable Authentication Module interface.  If
> > set to yes this will enable PAM authentication using
> >         ChallengeResponseAuthentication and PasswordAuthentication
> > in addition to PAM account and session module processing for all
> >         authentication types.
> >=20
> >         Because PAM challenge-response authentication usually
> > serves an equivalent role to password authentication, you should
> > disable either PasswordAuthentication or
> > ChallengeResponseAuthentication.
> >=20
> >         If UsePAM is enabled, you will not be able to run sshd(8)
> > as a non-root user.  The default is no.
> > --8<---------------cut here---------------end--------------->8---
> >=20
> > It also explains why I set ChallengeResponseAuthentication to 'no'
> > by default.
> >=20
> > The second patch removes the 'RSAAuthentication' option, which
> > causes warnings because it is deprecated.
> >=20
> > Cl=C3=A9ment Lassieur (2):
> >   services: openssh: Use PAM in sshd by default.
> >   services: openssh: remove deprecated 'RSAAuthentication' option.
> >=20
> >  gnu/services/ssh.scm | 24 ++++++++++++++++++------
> >  1 file changed, 18 insertions(+), 6 deletions(-)
> >=20
> > --=20
> > 2.11.1
> >=20
> >  =20
>=20