From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= <clement@lassieur.org>
Subject: [PATCH 4/4] services: openssh: Add 'subsystems' option.
Date: Tue, 21 Feb 2017 00:53:55 +0100
Message-ID: <20170220235355.29115-5-clement@lassieur.org>
References: <20170219185431.zgn53ndcbpedrgo7@wasp>
	<20170220235355.29115-1-clement@lassieur.org>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:45807)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <clement@lassieur.org>) id 1cfxnh-0001cg-54
	for guix-devel@gnu.org; Mon, 20 Feb 2017 18:55:26 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <clement@lassieur.org>) id 1cfxng-0005BA-0a
	for guix-devel@gnu.org; Mon, 20 Feb 2017 18:55:25 -0500
Received: from mail.lassieur.org ([83.152.10.219]:33730)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <clement@lassieur.org>)
	id 1cfxnf-0005Av-KU
	for guix-devel@gnu.org; Mon, 20 Feb 2017 18:55:23 -0500
Received: from localhost.localdomain (unknown [88.191.118.83])
	by mail.lassieur.org (Postfix) with ESMTPSA id 995F76401F0
	for <guix-devel@gnu.org>; Tue, 21 Feb 2017 00:55:17 +0100 (CET)
In-Reply-To: <20170220235355.29115-1-clement@lassieur.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

* gnu/services/ssh.scm (openssh-config-file): Add it.
  (<openssh-configuration>)[subsystems]: Add it.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi        | 19 +++++++++++++
 gnu/services/ssh.scm | 80 +++++++++++++++++++++++++++++-----------------------
 2 files changed, 64 insertions(+), 35 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index db0bf0f9b..69ff33149 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -9175,6 +9175,25 @@ equivalent role to password authentication, you should disable either
 @item @code{print-last-log?} (default: @code{#t})
 Specifies whether @command{sshd} should print the date and time of the
 last user login when a user logs in interactively.
+
+@item @code{subsystems} (default: @code{'()})
+Configures external subsystems (e.g. file transfer daemon).
+
+This is a list of two-element tuples, where each tuple contains the
+subsystem name and a command (with optional arguments) to execute upon
+subsystem request.
+
+The command @command{sftp-server} implements the SFTP file transfer
+subsystem.
+@example
+'(("sftp" "/usr/libexec/sftp-server"))
+@end example
+
+Alternately the name @command{internal-sftp} implements an in-process
+SFTP server.
+@example
+'(("sftp" "internal-sftp"))
+@end example
 @end table
 @end deftp
 
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9e1449743..054743d11 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -280,7 +280,9 @@ The other options should be self-descriptive."
   (use-pam?              openssh-configuration-use-pam?
                          (default #t)) ;Boolean
   (print-last-log?       openssh-configuration-print-last-log?
-                         (default #t))) ;Boolean
+                         (default #t)) ;Boolean
+  (subsystems            openssh-configuration-subsystems
+                         (default '()))) ;List of two-element tuples
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -314,40 +316,48 @@ The other options should be self-descriptive."
   "Return the sshd configuration file corresponding to CONFIG."
   (computed-file
    "sshd_config"
-   #~(call-with-output-file #$output
-       (lambda (port)
-         (display "# Generated by 'openssh-service'.\n" port)
-         (format port "Port ~a\n"
-                 #$(number->string (openssh-configuration-port-number config)))
-         (format port "PermitRootLogin ~a\n"
-                 #$(match (openssh-configuration-permit-root-login config)
-                     (#t "yes")
-                     (#f "no")
-                     ('without-password "without-password")))
-         (format port "PermitEmptyPasswords ~a\n"
-                 #$(if (openssh-configuration-allow-empty-passwords? config)
-                       "yes" "no"))
-         (format port "PasswordAuthentication ~a\n"
-                 #$(if (openssh-configuration-password-authentication? config)
-                       "yes" "no"))
-         (format port "PubkeyAuthentication ~a\n"
-                 #$(if (openssh-configuration-public-key-authentication? config)
-                       "yes" "no"))
-         (format port "X11Forwarding ~a\n"
-                 #$(if (openssh-configuration-x11-forwarding? config)
-                       "yes" "no"))
-         (format port "PidFile ~a\n"
-                 #$(openssh-configuration-pid-file config))
-         (format port "ChallengeResponseAuthentication ~a\n"
-                 #$(if (openssh-challenge-response-authentication? config)
-                       "yes" "no"))
-         (format port "UsePAM ~a\n"
-                 #$(if (openssh-configuration-use-pam? config)
-                       "yes" "no"))
-         (format port "PrintLastLog ~a\n"
-                 #$(if (openssh-configuration-print-last-log? config)
-                       "yes" "no"))
-         #t))))
+   #~(begin
+       (use-modules (ice-9 match))
+       (call-with-output-file #$output
+         (lambda (port)
+           (display "# Generated by 'openssh-service'.\n" port)
+           (format port "Port ~a\n"
+                   #$(number->string
+                      (openssh-configuration-port-number config)))
+           (format port "PermitRootLogin ~a\n"
+                   #$(match (openssh-configuration-permit-root-login config)
+                       (#t "yes")
+                       (#f "no")
+                       ('without-password "without-password")))
+           (format port "PermitEmptyPasswords ~a\n"
+                   #$(if (openssh-configuration-allow-empty-passwords? config)
+                         "yes" "no"))
+           (format port "PasswordAuthentication ~a\n"
+                   #$(if (openssh-configuration-password-authentication? config)
+                         "yes" "no"))
+           (format port "PubkeyAuthentication ~a\n"
+                   #$(if (openssh-configuration-public-key-authentication?
+                          config)
+                         "yes" "no"))
+           (format port "X11Forwarding ~a\n"
+                   #$(if (openssh-configuration-x11-forwarding? config)
+                         "yes" "no"))
+           (format port "PidFile ~a\n"
+                   #$(openssh-configuration-pid-file config))
+           (format port "ChallengeResponseAuthentication ~a\n"
+                   #$(if (openssh-challenge-response-authentication? config)
+                         "yes" "no"))
+           (format port "UsePAM ~a\n"
+                   #$(if (openssh-configuration-use-pam? config)
+                         "yes" "no"))
+           (format port "PrintLastLog ~a\n"
+                   #$(if (openssh-configuration-print-last-log? config)
+                         "yes" "no"))
+           (for-each
+            (match-lambda
+              ((name command) (format port "Subsystem\t~a\t~a\n" name command)))
+            '#$(openssh-configuration-subsystems config))
+           #t)))))
 
 (define (openssh-shepherd-service config)
   "Return a <shepherd-service> for openssh with CONFIG."
-- 
2.11.1