From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001 From: Janneke Nieuwenhuizen Date: Wed, 19 Apr 2023 16:42:50 +0200 Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys alone. The default was to remove any ~/.ssh/authorized_keys file and replace it with a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix home generated ~/.ssh/authorized_keys file does not allow login. * doc/guix.texi (Secure Shell): Update, describe default #false value. * gnu/home/services/ssh.scm () [authorized-keys]: Change default to #f. (openssh-configuration-files): Cater for default #f value: Do not register "authorized_keys". --- doc/guix.texi | 8 +++++--- gnu/home/services/ssh.scm | 22 ++++++++++++---------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index adb1975935..3736d24ff1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time. Preparing this list can be relatively tedious though, which is why @code{*unspecified*} is kept as a default. -@item @code{authorized-keys} (default: @code{'()}) -This must be a list of file-like objects, each of which containing an -SSH public key that should be authorized to connect to this machine. +@item @code{authorized-keys} (default: @code{#false}) +The default @code{#false} value means: Leave any +@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a +list of file-like objects, each of which containing an SSH public key +that should be authorized to connect to this machine. Concretely, these files are concatenated and made available as @file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm index 01917a29cd..317808f616 100644 --- a/gnu/home/services/ssh.scm +++ b/gnu/home/services/ssh.scm @@ -186,7 +186,7 @@ (define-record-type* home-openssh-configuration make-home-openssh-configuration home-openssh-configuration? (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like - (default '())) + (default #f)) (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like (default *unspecified*)) (hosts home-openssh-configuration-hosts ;list of @@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " ")) '#$files))))))) (define (openssh-configuration-files config) - (let ((config (plain-file "ssh.conf" - (openssh-configuration->string config))) - (known-hosts (home-openssh-configuration-known-hosts config)) - (authorized-keys (file-join - "authorized_keys" - (home-openssh-configuration-authorized-keys config) - "\n"))) - `((".ssh/authorized_keys" ,authorized-keys) + (let* ((ssh-config (plain-file "ssh.conf" + (openssh-configuration->string config))) + (known-hosts (home-openssh-configuration-known-hosts config)) + (authorized-keys (home-openssh-configuration-authorized-keys config)) + (authorized-keys (and + authorized-keys + (file-join "authorized_keys" authorized-keys "\n")))) + `(,@(if authorized-keys + `((".ssh/authorized_keys" ,authorized-keys)) + '()) ,@(if (unspecified? known-hosts) '() `((".ssh/known_hosts" ,(file-join "known_hosts" known-hosts "\n")))) - (".ssh/config" ,config)))) + (".ssh/config" ,ssh-config)))) (define openssh-activation (with-imported-modules (source-module-closure -- 2.39.2