From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Allan Webber Subject: bug#26696: openssh: root 'without-password & password-authentication #f both breaks service Date: Fri, 28 Apr 2017 09:52:12 -0500 Message-ID: <87h918twir.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51811) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d47Gc-0000wb-4Q for bug-guix@gnu.org; Fri, 28 Apr 2017 10:53:07 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d47GZ-0003xP-1J for bug-guix@gnu.org; Fri, 28 Apr 2017 10:53:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46646) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d47GY-0003xJ-UY for bug-guix@gnu.org; Fri, 28 Apr 2017 10:53:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1d47GY-0007pK-Ls for bug-guix@gnu.org; Fri, 28 Apr 2017 10:53:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:51539) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d47Fr-0000pp-TC for bug-guix@gnu.org; Fri, 28 Apr 2017 10:52:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d47Fo-0003eM-QT for bug-guix@gnu.org; Fri, 28 Apr 2017 10:52:19 -0400 Received: from dustycloud.org ([50.116.34.160]:60790) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d47Fo-0003ds-L7 for bug-guix@gnu.org; Fri, 28 Apr 2017 10:52:16 -0400 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 724B426632 for ; Fri, 28 Apr 2017 10:52:12 -0400 (EDT) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 26696@debbugs.gnu.org I wanted to permit root logins but only permit public key authentication in my openssh configuration. This was my original assumption of how to do it: (service openssh-service-type (openssh-configuration (permit-root-login 'without-password) (password-authentication? #f))) However, for whatever reason, openssh fails to start with this combination. However, it turns out this is redundant, since the configuration is already only permitting with public key authentication. (service openssh-service-type (openssh-configuration (permit-root-login #t) (password-authentication? #f))) This route is sufficient. However maybe we should prevent people from accidentally causing openssh to not start. Here's a suggested route... though I haven't tested it: #+BEGIN_SRC diff diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9917c311c..f1f2ab3dc 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -342,7 +342,13 @@ The other options should be self-descriptive." #$(match (openssh-configuration-permit-root-login config) (#t "yes") (#f "no") - ('without-password "without-password"))) + ('without-password + ;; If we've already disabled password-authentication, this + ;; is redundant, and even stops the openssh server from + ;; starting up + (if (openssh-configuration-password-authentication? config) + "without-password" + "yes")))) (format port "PermitEmptyPasswords ~a\n" #$(if (openssh-configuration-allow-empty-passwords? config) "yes" "no")) #+END_SRC