From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?q?Cl=C3=A9ment=20Lassieur?= Subject: [PATCH 4/4] services: openssh: Add 'subsystems' option. Date: Tue, 21 Feb 2017 00:53:55 +0100 Message-ID: <20170220235355.29115-5-clement@lassieur.org> References: <20170219185431.zgn53ndcbpedrgo7@wasp> <20170220235355.29115-1-clement@lassieur.org> Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45807) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cfxnh-0001cg-54 for guix-devel@gnu.org; Mon, 20 Feb 2017 18:55:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cfxng-0005BA-0a for guix-devel@gnu.org; Mon, 20 Feb 2017 18:55:25 -0500 Received: from mail.lassieur.org ([83.152.10.219]:33730) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cfxnf-0005Av-KU for guix-devel@gnu.org; Mon, 20 Feb 2017 18:55:23 -0500 Received: from localhost.localdomain (unknown [88.191.118.83]) by mail.lassieur.org (Postfix) with ESMTPSA id 995F76401F0 for ; Tue, 21 Feb 2017 00:55:17 +0100 (CET) In-Reply-To: <20170220235355.29115-1-clement@lassieur.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org * gnu/services/ssh.scm (openssh-config-file): Add it. ()[subsystems]: Add it. * doc/guix.texi (Networking Services): Document it. --- doc/guix.texi | 19 +++++++++++++ gnu/services/ssh.scm | 80 +++++++++++++++++++++++++++++----------------------- 2 files changed, 64 insertions(+), 35 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index db0bf0f9b..69ff33149 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9175,6 +9175,25 @@ equivalent role to password authentication, you should disable either @item @code{print-last-log?} (default: @code{#t}) Specifies whether @command{sshd} should print the date and time of the last user login when a user logs in interactively. + +@item @code{subsystems} (default: @code{'()}) +Configures external subsystems (e.g. file transfer daemon). + +This is a list of two-element tuples, where each tuple contains the +subsystem name and a command (with optional arguments) to execute upon +subsystem request. + +The command @command{sftp-server} implements the SFTP file transfer +subsystem. +@example +'(("sftp" "/usr/libexec/sftp-server")) +@end example + +Alternately the name @command{internal-sftp} implements an in-process +SFTP server. +@example +'(("sftp" "internal-sftp")) +@end example @end table @end deftp diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9e1449743..054743d11 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -280,7 +280,9 @@ The other options should be self-descriptive." (use-pam? openssh-configuration-use-pam? (default #t)) ;Boolean (print-last-log? openssh-configuration-print-last-log? - (default #t))) ;Boolean + (default #t)) ;Boolean + (subsystems openssh-configuration-subsystems + (default '()))) ;List of two-element tuples (define %openssh-accounts (list (user-group (name "sshd") (system? #t)) @@ -314,40 +316,48 @@ The other options should be self-descriptive." "Return the sshd configuration file corresponding to CONFIG." (computed-file "sshd_config" - #~(call-with-output-file #$output - (lambda (port) - (display "# Generated by 'openssh-service'.\n" port) - (format port "Port ~a\n" - #$(number->string (openssh-configuration-port-number config))) - (format port "PermitRootLogin ~a\n" - #$(match (openssh-configuration-permit-root-login config) - (#t "yes") - (#f "no") - ('without-password "without-password"))) - (format port "PermitEmptyPasswords ~a\n" - #$(if (openssh-configuration-allow-empty-passwords? config) - "yes" "no")) - (format port "PasswordAuthentication ~a\n" - #$(if (openssh-configuration-password-authentication? config) - "yes" "no")) - (format port "PubkeyAuthentication ~a\n" - #$(if (openssh-configuration-public-key-authentication? config) - "yes" "no")) - (format port "X11Forwarding ~a\n" - #$(if (openssh-configuration-x11-forwarding? config) - "yes" "no")) - (format port "PidFile ~a\n" - #$(openssh-configuration-pid-file config)) - (format port "ChallengeResponseAuthentication ~a\n" - #$(if (openssh-challenge-response-authentication? config) - "yes" "no")) - (format port "UsePAM ~a\n" - #$(if (openssh-configuration-use-pam? config) - "yes" "no")) - (format port "PrintLastLog ~a\n" - #$(if (openssh-configuration-print-last-log? config) - "yes" "no")) - #t)))) + #~(begin + (use-modules (ice-9 match)) + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'openssh-service'.\n" port) + (format port "Port ~a\n" + #$(number->string + (openssh-configuration-port-number config))) + (format port "PermitRootLogin ~a\n" + #$(match (openssh-configuration-permit-root-login config) + (#t "yes") + (#f "no") + ('without-password "without-password"))) + (format port "PermitEmptyPasswords ~a\n" + #$(if (openssh-configuration-allow-empty-passwords? config) + "yes" "no")) + (format port "PasswordAuthentication ~a\n" + #$(if (openssh-configuration-password-authentication? config) + "yes" "no")) + (format port "PubkeyAuthentication ~a\n" + #$(if (openssh-configuration-public-key-authentication? + config) + "yes" "no")) + (format port "X11Forwarding ~a\n" + #$(if (openssh-configuration-x11-forwarding? config) + "yes" "no")) + (format port "PidFile ~a\n" + #$(openssh-configuration-pid-file config)) + (format port "ChallengeResponseAuthentication ~a\n" + #$(if (openssh-challenge-response-authentication? config) + "yes" "no")) + (format port "UsePAM ~a\n" + #$(if (openssh-configuration-use-pam? config) + "yes" "no")) + (format port "PrintLastLog ~a\n" + #$(if (openssh-configuration-print-last-log? config) + "yes" "no")) + (for-each + (match-lambda + ((name command) (format port "Subsystem\t~a\t~a\n" name command))) + '#$(openssh-configuration-subsystems config)) + #t))))) (define (openssh-shepherd-service config) "Return a for openssh with CONFIG." -- 2.11.1