From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id 8Ne5I6da+mNaBQEAbAwnHQ (envelope-from ) for ; Sat, 25 Feb 2023 19:59:51 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id YCTGI6da+mNbVwAA9RJhRA (envelope-from ) for ; Sat, 25 Feb 2023 19:59:51 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 48EE0AC4F for ; Sat, 25 Feb 2023 19:59:51 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pVzlE-0001s0-OC; Sat, 25 Feb 2023 13:59:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pVzlB-0001p5-DN for guix-patches@gnu.org; Sat, 25 Feb 2023 13:59:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1pVzlB-0000c3-4L for guix-patches@gnu.org; Sat, 25 Feb 2023 13:59:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1pVzlB-0007wj-0F for guix-patches@gnu.org; Sat, 25 Feb 2023 13:59:05 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#61789] [PATCH 12/27] services: ssh: Deprecate 'lsh-service' procedure. Resent-From: Bruno Victal Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 25 Feb 2023 18:59:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 61789 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 61789@debbugs.gnu.org Cc: Bruno Victal Received: via spool by 61789-submit@debbugs.gnu.org id=B61789.167735151330348 (code B ref 61789); Sat, 25 Feb 2023 18:59:04 +0000 Received: (at 61789) by debbugs.gnu.org; 25 Feb 2023 18:58:33 +0000 Received: from localhost ([127.0.0.1]:41442 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVzke-0007tD-6a for submit@debbugs.gnu.org; Sat, 25 Feb 2023 13:58:33 -0500 Received: from smtpmciv7.myservices.hosting ([185.26.106.202]:50930) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pVzkW-0007rK-1Y for 61789@debbugs.gnu.org; Sat, 25 Feb 2023 13:58:25 -0500 Received: from mail1.netim.hosting (unknown [185.26.106.173]) by smtpmciv7.myservices.hosting (Postfix) with ESMTP id 9B71E20DDF for <61789@debbugs.gnu.org>; Sat, 25 Feb 2023 19:58:22 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mail1.netim.hosting (Postfix) with ESMTP id 51C5C80079; Sat, 25 Feb 2023 19:58:22 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting Received: from mail1.netim.hosting ([127.0.0.1]) by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id shW_OlgsffUs; Sat, 25 Feb 2023 19:58:21 +0100 (CET) Received: from guix-nuc.home.arpa (bl9-119-177.dsl.telepac.pt [85.242.119.177]) (Authenticated sender: lumen@makinata.eu) by mail1.netim.hosting (Postfix) with ESMTPSA id AFDD68009E; Sat, 25 Feb 2023 19:58:20 +0100 (CET) From: Bruno Victal Date: Sat, 25 Feb 2023 18:57:58 +0000 Message-Id: <2f88379eaa173fea422efe9a60175d73bbc4123e.1677350249.git.mirai@makinata.eu> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677351591; a=rsa-sha256; cv=none; b=AjOE7GV8gAw85Ie58HNmQ25rYJDF8BR9G6Mp011kw7zRADaOSLFUdZrP6IidZobHDSLdmJ wiYlsQQazhcD1n3gbBq9nW6n8QrYFyFd/JCl4F2wNWSe3NwW8a3GQKscOqS6nsPY7DizGb AEqyi0M4K6uHI0sqZ8+bV5uReGBYSlFa6tqm1pN7N8lN1bffjSEmfjaJmYFk7cevB8SNoT dm7WJ0zOby7/HKH4Xrk0qsCM6MMH4VyPRc+Yb3MunbZgLOpLR59YMtydPQEwfQS63ZmdDP bARV7GH0htln59IkPQIKlUsmWQXjjmDh71TFP8o1k3nOd/E/MMf6IIR8HtflQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1677351591; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=lNBEgBVeMMcp//Eu5fY2l4j8+gkOxVdywbtqEYpbJv8=; b=gOcFPBdG24wxSdeHRfU/N6ozaoHgtfMog1fVDBPe1SHQgWo/l49Mrcx17SopowlY8JzQiw dcpAjwy/RuW1z5+3A25ZsAF5ua9FJewJ4jDnEnN95+juZrQVwEslq+I4ff1Vs55wHmCVwX RVTm4SVIE6dH1wRKrr6nrus7AzShEfaoIoxvYeQUP66ypmAXOoH/LnUBMhkRLHfMoYdDv1 K5ZQkSsjP6avYjgqCgLvk1CJ5d0246yYEQLg4mMno7qVEC1vS43fTGUWNzjBTvB2S6gSS3 iHJwYFFbGzdn86mjyPo6wur2HGSLxgioOV6LgSwFssniLiYQKD/r5xtEAvkUZw== Authentication-Results: aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=none X-Migadu-Spam-Score: -1.68 X-Spam-Score: -1.68 X-Migadu-Queue-Id: 48EE0AC4F X-Migadu-Scanner: scn1.migadu.com X-TUID: HexnisCoQnlr * doc/guix.texi (Networking Services): Remove mention of lsh-service. Document lsh-service-type and lsh-service-configuration. * gnu/services/ssh.scm (): Set default values based on the now deprecated 'lsh-service' procedure. (lsh-service-type): Set default value. (lsh-service): Deprecate procedure. --- doc/guix.texi | 98 +++++++++++++++++++++++++++++--------------- gnu/services/ssh.scm | 68 ++++++++++++++++++------------ 2 files changed, 106 insertions(+), 60 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index eeb2efa488..50ac49e65f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -20740,41 +20740,71 @@ Networking Services @cindex SSH @cindex SSH server -@deffn {Scheme Procedure} lsh-service [#:host-key "/etc/lsh/host-key"] @ - [#:daemonic? #t] [#:interfaces '()] [#:port-number 22] @ - [#:allow-empty-passwords? #f] [#:root-login? #f] @ - [#:syslog-output? #t] [#:x11-forwarding? #t] @ - [#:tcp/ip-forwarding? #t] [#:password-authentication? #t] @ - [#:public-key-authentication? #t] [#:initialize? #t] -Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}. -@var{host-key} must designate a file containing the host key, and readable -only by root. - -When @var{daemonic?} is true, @command{lshd} will detach from the -controlling terminal and log its output to syslogd, unless one sets -@var{syslog-output?} to false. Obviously, it also makes lsh-service -depend on existence of syslogd service. When @var{pid-file?} is true, -@command{lshd} writes its PID to the file called @var{pid-file}. - -When @var{initialize?} is true, automatically create the seed and host key -upon service activation if they do not exist yet. This may take long and -require interaction. - -When @var{initialize?} is false, it is up to the user to initialize the -randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create -a key pair with the private key stored in file @var{host-key} (@pxref{lshd -basics,,, lsh, LSH Manual}). - -When @var{interfaces} is empty, lshd listens for connections on all the -network interfaces; otherwise, @var{interfaces} must be a list of host names -or addresses. - -@var{allow-empty-passwords?} specifies whether to accept log-ins with empty -passwords, and @var{root-login?} specifies whether to accept log-ins as -root. +@defvar lsh-service-type +Type of the service that runs the GNU@tie{}lsh secure shell (SSH) +daemon, @command{lshd}. The value for this service is a +@code{} object. +@end defvar -The other options should be self-descriptive. -@end deffn +@deftp {Data Type} lsh-configuration +Data type representing the configuration of @command{lshd}. + +@table @asis +@item @code{lsh} (default: @code{lsh}) (type: file-like) +The package object of the GNU@tie{}lsh secure shell (SSH) daemon. + +@item @code{daemonic?} (default: @code{#t}) (type: boolean) +Whether to detach from the controlling terminal. + +@item @code{host-key} (default: @code{"/etc/lsh/host-key"}) (type: string) +File containing the @dfn{host key}. This file must be readable by +root only. + +@item @code{interfaces} (default: @code{()}) (type: list) +List of host names or addresses that @command{lshd} will listen on. +If empty, @command{lshd} listens for connections on all the network +interfaces. + +@item @code{port-number} (default: @code{22}) (type: integer) +Port to listen on. + +@item @code{allow-empty-passwords?} (default: @code{#f}) (type: boolean) +Whether to accept log-ins with empty passwords. + +@item @code{root-login?} (default: @code{#f}) (type: boolean) +Whether to accept log-ins as root. + +@item @code{syslog-output?} (default: @code{#t}) (type: boolean) +Whether to log @command{lshd} standard output to syslogd. +This will make the service depend on the existence of a syslogd service. + +@item @code{pid-file?} (default: @code{#f}) (type: boolean) +When @code{#t}, @command{lshd} writes its PID to the file specified in +@var{pid-file}. + +@item @code{pid-file} (default: @code{"/var/run/lshd.pid"}) (type: string) +File that @command{lshd} will write its PID to. + +@item @code{x11-forwarding?} (default: @code{#t}) (type: boolean) +Whether to enable X11 forwarding. + +@item @code{tcp/ip-forwarding?} (default: @code{#t}) (type: boolean) +Whether to enable TCP/IP forwarding. + +@item @code{password-authentication?} (default: @code{#t}) (type: boolean) +Whether to accept log-ins using password authentication. + +@item @code{public-key-authentication?} (default: @code{#t}) (type: boolean) +Whether to accept log-ins using public key authentication. + +@item @code{initialize?} (default: @code{#t}) (type: boolean) +When @code{#f}, it is up to the user to initialize the randomness +generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create +a key pair with the private key stored in file @var{host-key} +(@pxref{lshd basics,,, lsh, LSH Manual}). + +@end table +@end deftp @cindex SSH @cindex SSH server diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 7b038e6ac6..3baa55731d 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -42,7 +42,7 @@ (define-module (gnu services ssh) #:use-module (ice-9 vlist) #:export (lsh-configuration lsh-configuration? - lsh-service + lsh-service ; deprecated lsh-service-type openssh-configuration @@ -74,20 +74,34 @@ (define-record-type* lsh-configuration? (lsh lsh-configuration-lsh (default lsh)) - (daemonic? lsh-configuration-daemonic?) - (host-key lsh-configuration-host-key) - (interfaces lsh-configuration-interfaces) - (port-number lsh-configuration-port-number) - (allow-empty-passwords? lsh-configuration-allow-empty-passwords?) - (root-login? lsh-configuration-root-login?) - (syslog-output? lsh-configuration-syslog-output?) - (pid-file? lsh-configuration-pid-file?) - (pid-file lsh-configuration-pid-file) - (x11-forwarding? lsh-configuration-x11-forwarding?) - (tcp/ip-forwarding? lsh-configuration-tcp/ip-forwarding?) - (password-authentication? lsh-configuration-password-authentication?) - (public-key-authentication? lsh-configuration-public-key-authentication?) - (initialize? lsh-configuration-initialize?)) + (daemonic? lsh-configuration-daemonic? + (default #t)) + (host-key lsh-configuration-host-key + (default "/etc/lsh/host-key")) + (interfaces lsh-configuration-interfaces + (default '())) + (port-number lsh-configuration-port-number + (default 22)) + (allow-empty-passwords? lsh-configuration-allow-empty-passwords? + (default #f)) + (root-login? lsh-configuration-root-login? + (default #f)) + (syslog-output? lsh-configuration-syslog-output? + (default #t)) + (pid-file? lsh-configuration-pid-file? + (default #f)) + (pid-file lsh-configuration-pid-file + (default "/var/run/lshd.pid")) + (x11-forwarding? lsh-configuration-x11-forwarding? + (default #t)) + (tcp/ip-forwarding? lsh-configuration-tcp/ip-forwarding? + (default #t)) + (password-authentication? lsh-configuration-password-authentication? + (default #t)) + (public-key-authentication? lsh-configuration-public-key-authentication? + (default #t)) + (initialize? lsh-configuration-initialize? + (default #t))) (define %yarrow-seed "/var/spool/lsh/yarrow-seed-file") @@ -203,19 +217,20 @@ (define (lsh-pam-services config) (lsh-configuration-allow-empty-passwords? config)))) (define lsh-service-type - (service-type (name 'lsh) - (description - "Run the GNU@tie{}lsh secure shell (SSH) daemon, + (service-type + (name 'lsh) + (extensions + (list (service-extension shepherd-root-service-type + lsh-shepherd-service) + (service-extension pam-root-service-type + lsh-pam-services) + (service-extension activation-service-type + lsh-activation))) + (description "Run the GNU@tie{}lsh secure shell (SSH) daemon, @command{lshd}.") - (extensions - (list (service-extension shepherd-root-service-type - lsh-shepherd-service) - (service-extension pam-root-service-type - lsh-pam-services) - (service-extension activation-service-type - lsh-activation))))) + (default-value (lsh-configuration)))) -(define* (lsh-service #:key +(define-deprecated (lsh-service #:key (lsh lsh) (daemonic? #t) (host-key "/etc/lsh/host-key") @@ -231,6 +246,7 @@ (define* (lsh-service #:key (password-authentication? #t) (public-key-authentication? #t) (initialize? #t)) + lsh-service-type "Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}. @var{host-key} must designate a file containing the host key, and readable only by root. -- 2.39.1