From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id 4Nz4Ou0WQGTYjQAASxT56A (envelope-from ) for ; Wed, 19 Apr 2023 18:29:34 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id WBUcOu0WQGQzPwEAG6o9tA (envelope-from ) for ; Wed, 19 Apr 2023 18:29:33 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8C4E92BF4E for ; Wed, 19 Apr 2023 18:29:33 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ppAg5-0001F2-9F; Wed, 19 Apr 2023 12:29:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppAg3-0001EP-Ry for bug-guix@gnu.org; Wed, 19 Apr 2023 12:29:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ppAg3-0000oZ-Ed for bug-guix@gnu.org; Wed, 19 Apr 2023 12:29:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ppAg2-00013z-Jz for bug-guix@gnu.org; Wed, 19 Apr 2023 12:29:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login Resent-From: Janneke Nieuwenhuizen Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 19 Apr 2023 16:29:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62948 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 62948@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16819217174025 (code B ref -1); Wed, 19 Apr 2023 16:29:02 +0000 Received: (at submit) by debbugs.gnu.org; 19 Apr 2023 16:28:37 +0000 Received: from localhost ([127.0.0.1]:35646 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppAfc-00012q-Mw for submit@debbugs.gnu.org; Wed, 19 Apr 2023 12:28:37 -0400 Received: from lists.gnu.org ([209.51.188.17]:39108) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppAfY-00012f-4L for submit@debbugs.gnu.org; Wed, 19 Apr 2023 12:28:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppAfU-000166-Bw for bug-guix@gnu.org; Wed, 19 Apr 2023 12:28:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppAfS-0000ii-Di; Wed, 19 Apr 2023 12:28:27 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=Il4GiG8fSw94iRirgHEkWfx0yhbZPuXluAPIncsSjK4=; b=RkFt60rftr5YCE 7DEOzywW33foesmZFNS9mbrro/x/YWy5Mparhc46tPG/xsTU0vx+6ccLdm8omBN24243osFgJrQFw dFNdJgfJKoZTQr+Mh/dB578q2FxNLb1jefUfX62KvC1qAePJROF4G5PhmhjHE3e5udJjouyBO9wWy t3irCoSEiGHCVtzsaecuvYD75OpHRs6OdMDrt21F+C2wTQWFRbhDjObp+IVWIDIZzlhZURxZZ8S06 2AZvL/8E+ySjdKnVBnKdjYZacN3BmiM9Z3f/hjVRJ1IOjc+6vp9Sbl8ucOnCHBslymduBe/36Om3d LgyvKjt9nLA991Og2p2A==; Received: from 2a02-a462-da03-1-2701-7f81-a736-4607.fixed6.kpn.net ([2a02:a462:da03:1:2701:7f81:a736:4607] helo=drakenpad.janneke.lilypond.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppAfR-0003XM-Uh; Wed, 19 Apr 2023 12:28:26 -0400 From: Janneke Nieuwenhuizen Organization: AvatarAcademy.nl X-Url: http://AvatarAcademy.nl Date: Wed, 19 Apr 2023 18:28:16 +0200 Message-ID: <875y9r96qn.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: bug-guix-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=RkFt60rf; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681921773; a=rsa-sha256; cv=none; b=bUJvt48gz9YHhRffU2bNpfGEM8eQ8/EuTbCO9udUfqOxemZDOpQMkz5TrGGh12aXaGxQYQ sitBK3hDjvDDCWuOnc8d4slKbnm5pOpJ8YRD1SBmdyNxsVocRigrmNRui6qY3/CkdZemrd Z9sVgGXk+ksRCXQ5hhw2iU9VVJbjk0k8nKtqDJyhJCgGlqDA/35C5wU9OwVddCYyCZjrml YC70F9Sx/Y5p0GkcUX6WfIxIOswpSPBd1JouQTk+sKM6abaKBABFYvOIlZ7IKPEUX3PZaP YtRGc5mjfoAWnPoy0pY2tOJkC9xPgcGfsn2+f2XTdfFo6ybCycBEybQkWAoSMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681921773; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=Il4GiG8fSw94iRirgHEkWfx0yhbZPuXluAPIncsSjK4=; b=BoaEgdUjctmLRhXsb5euNxrdvS5rIttlOu/6ZjG6r9mgIDZrtJDAtuCq9MgkZlzC2VSsmU WPnFDTRU6LZcy+NlLKfzy9i8VFHdUzSJT8eilsM/vWpeckHVfCkW9fffLv95x+Mg04OR75 u8BUZfX0lFVN1fJR/bApNoMTpdLaooe28LZfIAjrTlvm9zvhXp0bNlfeqmKZsvDvNXdbQi +8X4Z/gU8PxrXdnWfS+bRBNK3tpv2J7MOc9rjqTyiFwUAp4I3SEAOOjGaeRB1mQR8/TSmV WdE+eD1D8BA4nmxtsGEVGMEtmh83zJFrG9fOoF4QaeLzDvdHdvfEnRyD1DojVg== X-Migadu-Spam-Score: -4.91 X-Spam-Score: -4.91 X-Migadu-Queue-Id: 8C4E92BF4E X-Migadu-Scanner: scn0.migadu.com Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=RkFt60rf; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=none) header.from=gnu.org X-TUID: IzBlByOv57Nm --=-=-= Content-Type: text/plain Hi, Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks key-based login. I cannot access the logs and don't know what the problem might be. When, after running `guix home reconfigure', you do something like: --8<---------------cut here---------------start------------->8--- mv .ssh/authorized_keys .ssh/authorized_keys- cat .ssh/authorized_keys- > .ssh/authorized_keys chmod 400 .ssh/authorized_keys --8<---------------cut here---------------end--------------->8--- key-based login succeeds. A workaround would be to have home-openssh-service-type leave ~/.ssh/authorized_keys alone. However, when using --8<---------------cut here---------------start------------->8--- (service home-openssh-service-type (home-openssh-configuration (authorized-keys '()))) --8<---------------cut here---------------end--------------->8--- any existing ~/.ssh/authorized_keys file is removed and replaced by a symlink to an empty file. I don't see how that is useful, it certainly breaks key-based login. Using --8<---------------cut here---------------start------------->8--- (service home-openssh-service-type (home-openssh-configuration (authorized-keys #f))) --8<---------------cut here---------------end--------------->8--- yields a backtrace. The attached patch fixes that and allows using (authorized-keys #f), also making this the default. WDYT? Greetings, Janneke --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-home-services-ssh-Support-leaving-.ssh-authorized_ke.patch >From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001 From: Janneke Nieuwenhuizen Date: Wed, 19 Apr 2023 16:42:50 +0200 Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys alone. The default was to remove any ~/.ssh/authorized_keys file and replace it with a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix home generated ~/.ssh/authorized_keys file does not allow login. * doc/guix.texi (Secure Shell): Update, describe default #false value. * gnu/home/services/ssh.scm () [authorized-keys]: Change default to #f. (openssh-configuration-files): Cater for default #f value: Do not register "authorized_keys". --- doc/guix.texi | 8 +++++--- gnu/home/services/ssh.scm | 22 ++++++++++++---------- 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index adb1975935..3736d24ff1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time. Preparing this list can be relatively tedious though, which is why @code{*unspecified*} is kept as a default. -@item @code{authorized-keys} (default: @code{'()}) -This must be a list of file-like objects, each of which containing an -SSH public key that should be authorized to connect to this machine. +@item @code{authorized-keys} (default: @code{#false}) +The default @code{#false} value means: Leave any +@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a +list of file-like objects, each of which containing an SSH public key +that should be authorized to connect to this machine. Concretely, these files are concatenated and made available as @file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm index 01917a29cd..317808f616 100644 --- a/gnu/home/services/ssh.scm +++ b/gnu/home/services/ssh.scm @@ -186,7 +186,7 @@ (define-record-type* home-openssh-configuration make-home-openssh-configuration home-openssh-configuration? (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like - (default '())) + (default #f)) (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like (default *unspecified*)) (hosts home-openssh-configuration-hosts ;list of @@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " ")) '#$files))))))) (define (openssh-configuration-files config) - (let ((config (plain-file "ssh.conf" - (openssh-configuration->string config))) - (known-hosts (home-openssh-configuration-known-hosts config)) - (authorized-keys (file-join - "authorized_keys" - (home-openssh-configuration-authorized-keys config) - "\n"))) - `((".ssh/authorized_keys" ,authorized-keys) + (let* ((ssh-config (plain-file "ssh.conf" + (openssh-configuration->string config))) + (known-hosts (home-openssh-configuration-known-hosts config)) + (authorized-keys (home-openssh-configuration-authorized-keys config)) + (authorized-keys (and + authorized-keys + (file-join "authorized_keys" authorized-keys "\n")))) + `(,@(if authorized-keys + `((".ssh/authorized_keys" ,authorized-keys)) + '()) ,@(if (unspecified? known-hosts) '() `((".ssh/known_hosts" ,(file-join "known_hosts" known-hosts "\n")))) - (".ssh/config" ,config)))) + (".ssh/config" ,ssh-config)))) (define openssh-activation (with-imported-modules (source-module-closure -- 2.39.2 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable --=20 Janneke Nieuwenhuizen | GNU LilyPond https://LilyPond.org Freelance IT https://www.JoyOfSource.com | Avatar=C2=AE https://AvatarAcade= my.com --=-=-=--