all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [PATCH] openssh service
@ 2016-08-05 12:18 Julien Lepiller
  2016-08-05 13:47 ` Andy Wingo
  0 siblings, 1 reply; 12+ messages in thread
From: Julien Lepiller @ 2016-08-05 12:18 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 93 bytes --]

Hello,

here is a patch that adds a service definition for openssh.

Regards,
Julien Lepiller

[-- Attachment #2: 0001-services-Add-openssh.patch --]
[-- Type: text/x-patch, Size: 7937 bytes --]

From 592ab25424b2685238e31a3e2473e31a45bea4e5 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Fri, 5 Aug 2016 15:20:15 +0200
Subject: [PATCH] services: Add openssh

* gnu/packages/ssh.scm: Openssh reads its configuration from /etc
* gnu/services/ssh.scm: Add openssh-service
---
 gnu/packages/ssh.scm |   3 +-
 gnu/services/ssh.scm | 145 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 146 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index bca4433..eec6673 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.")
              ("zlib" ,zlib)
              ("xauth" ,xauth)))                   ;for 'ssh -X' and 'ssh -Y'
    (arguments
-    `(#:test-target "tests"
+    `(#:configure-flags `("--sysconfdir=/etc/ssh")
+      #:test-target "tests"
       #:phases
       (modify-phases %standard-phases
         (add-after 'configure 'reset-/var/empty
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9a7ea0f..8372cbf 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -19,9 +19,11 @@
 
 (define-module (gnu services ssh)
   #:use-module (gnu packages ssh)
+  #:use-module (gnu packages admin)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system pam)
+  #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix records)
   #:use-module (srfi srfi-26)
@@ -30,6 +32,11 @@
             lsh-service
             lsh-service-type
 
+            openssh-configuration
+            openssh-configuration?
+            openssh-service-type
+            openssh-service
+
             dropbear-configuration
             dropbear-configuration?
             dropbear-service-type
@@ -244,7 +251,143 @@ The other options should be self-descriptive."
                                public-key-authentication?)
                               (initialize? initialize?))))
 
-\f
+;;;
+;;; OpenSSH.
+;;;
+
+(define-record-type* <openssh-configuration>
+  openssh-configuration make-openssh-configuration
+  openssh-configuration?
+  (pidfile               openssh-configuration-pidfile
+                         (default "/var/run/sshd.pid"))
+  (port-number           openssh-configuration-port-number
+                         (default 22))
+  (root-login            openssh-configuration-root-login
+                         (default "without-password"))
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
+                          (default #f))
+  (password-authentication? openssh-configuration-password-authentication?
+                            (default #t))
+  (pubkey-authentication? openssh-configuration-pubkey-authentication?
+                            (default #t))
+  (rsa-authentication?   openssh-configuration-rsa-authentication?
+                            (default #t))
+  (x11-forwarding?       openssh-configuration-x11-forwarding?
+                            (default #f))
+  (protocol-number       openssh-configuration-protocol-number
+                         (default "2")))
+
+(define %openssh-accounts
+  (list (user-group (name "sshd") (system? #t))
+        (user-account
+          (name "sshd")
+          (group "sshd")
+          (system? #t)
+          (comment "sshd privilege separation user")
+          (home-directory "/var/run/sshd")
+          (shell #~(string-append #$shadow "/sbin/nologin")))))
+
+(define (openssh-activation config)
+  "Return the activation GEXP for CONFIG."
+  #~(begin
+      (mkdir-p "/etc/ssh")
+      (mkdir-p (basename #$(openssh-configuration-pidfile config)))
+      (let ((pid (primitive-fork)))
+        (case pid
+          ((0)
+           (execl (string-append #$openssh "/bin/ssh-keygen")
+                  "ssh-keygen" "-A")
+          (else
+           (zero? (cdr (waitpid pid)))))))
+      (call-with-output-file "/etc/ssh/sshd_config"
+         (lambda (port)
+           (display
+             "# Generated by 'openssh-service'.\n"
+             port)
+           (format port "Protocol ~a\n"
+              #$(openssh-configuration-protocol-number config))
+           (format port "Port ~a\n" 
+              #$(number->string (openssh-configuration-port-number config)))
+           (format port "PermitRootLogin ~a\n"
+              #$(openssh-configuration-root-login config))
+           (format port "PermitEmptyPasswords ~a\n"
+              #$(if (openssh-configuration-allow-empty-passwords? config)
+                    "yes" "no"))
+           (format port "PasswordAuthentication ~a\n"
+              #$(if (openssh-configuration-password-authentication? config)
+                    "yes" "no"))
+           (format port "PubkeyAuthentication ~a\n"
+              #$(if (openssh-configuration-pubkey-authentication? config)
+                    "yes" "no"))
+           (format port "RSAAuthentication ~a\n"
+              #$(if (openssh-configuration-rsa-authentication? config)
+                    "yes" "no"))
+           (format port "X11Forwarding ~a\n"
+              #$(if (openssh-configuration-x11-forwarding? config)
+                    "yes" "no"))
+           (format port "PidFile ~a\n"
+              #$(openssh-configuration-pidfile config))))))
+
+(define (openssh-shepherd-service config)
+  "Return a <shepherd-service> for openssh with CONFIG."
+
+  (define pid-file
+    (openssh-configuration-pidfile config))
+
+  (define openssh-command
+    #~(list (string-append #$openssh "/sbin/sshd")
+            "-D"))
+
+  (define requires
+        '(networking syslogd))
+
+  (list (shepherd-service
+         (documentation "Openssh SSH server.")
+         (requirement requires)
+         (provision '(ssh-daemon))
+         (start #~(make-forkexec-constructor #$openssh-command
+                                             #:pid-file #$pid-file))
+         (stop #~(make-kill-destructor)))))
+
+(define openssh-service-type
+  (service-type (name 'openssh)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          openssh-shepherd-service)
+                       (service-extension activation-service-type
+                                          openssh-activation)
+                       (service-extension account-service-type
+                                          (const %openssh-accounts))))))
+
+(define* (openssh-service #:optional (config (openssh-configuration)))
+  "Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
+@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
+understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
+be one of \"1\", \"2\" or \"1,2\".
+
+@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and
+@var{no}. It is used to allow root login through ssh. @var{without-password}
+means that root login is allowed, except when loging with a password (eg: a
+public key).
+
+When @var{allow-empty-passwords?} is true, users with empty passwords may log
+in. When false, they may not.
+
+When @var{password-authentication?} is true, users may log in with their
+password. When false, they have to use other means of authentication.
+
+When @var{pubkey-authentication?} is true, users may log in using public key
+authentication. When false, users have to use other means of authentication.
+Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only
+by protocol 2.
+
+When @var{rsa-authentication?} is true, users may log in using pure RSA
+authentication. When false, users have to use other means of authentication.
+This is used only by protocol 1.
+
+When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work."
+  (service openssh-service-type config))
+
 ;;;
 ;;; Dropbear.
 ;;;
-- 
2.9.2


^ permalink raw reply related	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-05 12:18 [PATCH] openssh service Julien Lepiller
@ 2016-08-05 13:47 ` Andy Wingo
  2016-08-05 14:20   ` Julien Lepiller
  0 siblings, 1 reply; 12+ messages in thread
From: Andy Wingo @ 2016-08-05 13:47 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

On Fri 05 Aug 2016 14:18, Julien Lepiller <julien@lepiller.eu> writes:

> here is a patch that adds a service definition for openssh.

Very nice!

> +      (let ((pid (primitive-fork)))
> +        (case pid
> +          ((0)
> +           (execl (string-append #$openssh "/bin/ssh-keygen")
> +                  "ssh-keygen" "-A")
> +          (else
> +           (zero? (cdr (waitpid pid)))))))

I guess you could system* this one instead; would be easier I think.
Dunno.

Other than that looks all good to me.  Would need an addition to the
manual eventually though.

Andy

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-05 13:47 ` Andy Wingo
@ 2016-08-05 14:20   ` Julien Lepiller
  2016-08-19 14:03     ` Julien Lepiller
  0 siblings, 1 reply; 12+ messages in thread
From: Julien Lepiller @ 2016-08-05 14:20 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 760 bytes --]

On Fri, 05 Aug 2016 15:47:50 +0200
Andy Wingo <wingo@igalia.com> wrote:

> On Fri 05 Aug 2016 14:18, Julien Lepiller <julien@lepiller.eu> writes:
> 
> > here is a patch that adds a service definition for openssh.  
> 
> Very nice!
> 
> > +      (let ((pid (primitive-fork)))
> > +        (case pid
> > +          ((0)
> > +           (execl (string-append #$openssh "/bin/ssh-keygen")
> > +                  "ssh-keygen" "-A")
> > +          (else
> > +           (zero? (cdr (waitpid pid)))))))  
> 
> I guess you could system* this one instead; would be easier I think.
> Dunno.

I modified my patch, so you can choose whichever feels better.

> 
> Other than that looks all good to me.  Would need an addition to the
> manual eventually though.

> 
> Andy


[-- Attachment #2: 0001-services-Add-openssh.patch --]
[-- Type: text/x-patch, Size: 7769 bytes --]

From 198ed4efacadd72b4ccda617855fb7f409bedd3b Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Fri, 5 Aug 2016 15:20:15 +0200
Subject: [PATCH] services: Add openssh

* gnu/packages/ssh.scm: Openssh reads its configuration from /etc
* gnu/services/ssh.scm: Add openssh-service
---
 gnu/packages/ssh.scm |   3 +-
 gnu/services/ssh.scm | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 140 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index bca4433..eec6673 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.")
              ("zlib" ,zlib)
              ("xauth" ,xauth)))                   ;for 'ssh -X' and 'ssh -Y'
    (arguments
-    `(#:test-target "tests"
+    `(#:configure-flags `("--sysconfdir=/etc/ssh")
+      #:test-target "tests"
       #:phases
       (modify-phases %standard-phases
         (add-after 'configure 'reset-/var/empty
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9a7ea0f..60b9cec 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -19,9 +19,11 @@
 
 (define-module (gnu services ssh)
   #:use-module (gnu packages ssh)
+  #:use-module (gnu packages admin)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system pam)
+  #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix records)
   #:use-module (srfi srfi-26)
@@ -30,6 +32,11 @@
             lsh-service
             lsh-service-type
 
+            openssh-configuration
+            openssh-configuration?
+            openssh-service-type
+            openssh-service
+
             dropbear-configuration
             dropbear-configuration?
             dropbear-service-type
@@ -244,7 +251,137 @@ The other options should be self-descriptive."
                                public-key-authentication?)
                               (initialize? initialize?))))
 
-\f
+;;;
+;;; OpenSSH.
+;;;
+
+(define-record-type* <openssh-configuration>
+  openssh-configuration make-openssh-configuration
+  openssh-configuration?
+  (pidfile               openssh-configuration-pidfile
+                         (default "/var/run/sshd.pid"))
+  (port-number           openssh-configuration-port-number
+                         (default 22))
+  (root-login            openssh-configuration-root-login
+                         (default "without-password"))
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
+                          (default #f))
+  (password-authentication? openssh-configuration-password-authentication?
+                            (default #t))
+  (pubkey-authentication? openssh-configuration-pubkey-authentication?
+                            (default #t))
+  (rsa-authentication?   openssh-configuration-rsa-authentication?
+                            (default #t))
+  (x11-forwarding?       openssh-configuration-x11-forwarding?
+                            (default #f))
+  (protocol-number       openssh-configuration-protocol-number
+                         (default "2")))
+
+(define %openssh-accounts
+  (list (user-group (name "sshd") (system? #t))
+        (user-account
+          (name "sshd")
+          (group "sshd")
+          (system? #t)
+          (comment "sshd privilege separation user")
+          (home-directory "/var/run/sshd")
+          (shell #~(string-append #$shadow "/sbin/nologin")))))
+
+(define (openssh-activation config)
+  "Return the activation GEXP for CONFIG."
+  #~(begin
+      (mkdir-p "/etc/ssh")
+      (mkdir-p (basename #$(openssh-configuration-pidfile config)))
+      (system* (string-append #$openssh "/bin/ssh-keygen") "-A")
+      (call-with-output-file "/etc/ssh/sshd_config"
+         (lambda (port)
+           (display
+             "# Generated by 'openssh-service'.\n"
+             port)
+           (format port "Protocol ~a\n"
+              #$(openssh-configuration-protocol-number config))
+           (format port "Port ~a\n" 
+              #$(number->string (openssh-configuration-port-number config)))
+           (format port "PermitRootLogin ~a\n"
+              #$(openssh-configuration-root-login config))
+           (format port "PermitEmptyPasswords ~a\n"
+              #$(if (openssh-configuration-allow-empty-passwords? config)
+                    "yes" "no"))
+           (format port "PasswordAuthentication ~a\n"
+              #$(if (openssh-configuration-password-authentication? config)
+                    "yes" "no"))
+           (format port "PubkeyAuthentication ~a\n"
+              #$(if (openssh-configuration-pubkey-authentication? config)
+                    "yes" "no"))
+           (format port "RSAAuthentication ~a\n"
+              #$(if (openssh-configuration-rsa-authentication? config)
+                    "yes" "no"))
+           (format port "X11Forwarding ~a\n"
+              #$(if (openssh-configuration-x11-forwarding? config)
+                    "yes" "no"))
+           (format port "PidFile ~a\n"
+              #$(openssh-configuration-pidfile config))))))
+
+(define (openssh-shepherd-service config)
+  "Return a <shepherd-service> for openssh with CONFIG."
+
+  (define pid-file
+    (openssh-configuration-pidfile config))
+
+  (define openssh-command
+    #~(list (string-append #$openssh "/sbin/sshd")
+            "-D"))
+
+  (define requires
+        '(networking syslogd))
+
+  (list (shepherd-service
+         (documentation "Openssh SSH server.")
+         (requirement requires)
+         (provision '(ssh-daemon))
+         (start #~(make-forkexec-constructor #$openssh-command
+                                             #:pid-file #$pid-file))
+         (stop #~(make-kill-destructor)))))
+
+(define openssh-service-type
+  (service-type (name 'openssh)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          openssh-shepherd-service)
+                       (service-extension activation-service-type
+                                          openssh-activation)
+                       (service-extension account-service-type
+                                          (const %openssh-accounts))))))
+
+(define* (openssh-service #:optional (config (openssh-configuration)))
+  "Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
+@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
+understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
+be one of \"1\", \"2\" or \"1,2\".
+
+@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and
+@var{no}. It is used to allow root login through ssh. @var{without-password}
+means that root login is allowed, except when loging with a password (eg: a
+public key).
+
+When @var{allow-empty-passwords?} is true, users with empty passwords may log
+in. When false, they may not.
+
+When @var{password-authentication?} is true, users may log in with their
+password. When false, they have to use other means of authentication.
+
+When @var{pubkey-authentication?} is true, users may log in using public key
+authentication. When false, users have to use other means of authentication.
+Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only
+by protocol 2.
+
+When @var{rsa-authentication?} is true, users may log in using pure RSA
+authentication. When false, users have to use other means of authentication.
+This is used only by protocol 1.
+
+When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work."
+  (service openssh-service-type config))
+
 ;;;
 ;;; Dropbear.
 ;;;
-- 
2.9.2


^ permalink raw reply related	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-05 14:20   ` Julien Lepiller
@ 2016-08-19 14:03     ` Julien Lepiller
  2016-08-19 14:15       ` Vincent Legoll
  0 siblings, 1 reply; 12+ messages in thread
From: Julien Lepiller @ 2016-08-19 14:03 UTC (permalink / raw)
  To: guix-devel

On Fri, 5 Aug 2016 16:20:49 +0200
Julien Lepiller <julien@lepiller.eu> wrote:

> On Fri, 05 Aug 2016 15:47:50 +0200
> Andy Wingo <wingo@igalia.com> wrote:
> 
> > On Fri 05 Aug 2016 14:18, Julien Lepiller <julien@lepiller.eu>
> > writes: 
> > > here is a patch that adds a service definition for openssh.    
> > 
> > Very nice!
> >   
> > > +      (let ((pid (primitive-fork)))
> > > +        (case pid
> > > +          ((0)
> > > +           (execl (string-append #$openssh "/bin/ssh-keygen")
> > > +                  "ssh-keygen" "-A")
> > > +          (else
> > > +           (zero? (cdr (waitpid pid)))))))    
> > 
> > I guess you could system* this one instead; would be easier I think.
> > Dunno.  
> 
> I modified my patch, so you can choose whichever feels better.
> 
> > 
> > Other than that looks all good to me.  Would need an addition to the
> > manual eventually though.  
> 
> > 
> > Andy  
> 

Hi,

It's been a bit of time since I posted the patch, but didn't hear any
news about it. What's wrong with it? Is it that I misunderstood the
"Would need an addition to the manual eventually though"? Does that
mean I need to add an entry to the manual myself (if so, could you
tell me what file to edit?)

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-19 14:03     ` Julien Lepiller
@ 2016-08-19 14:15       ` Vincent Legoll
  2016-08-19 14:31         ` Julien Lepiller
  0 siblings, 1 reply; 12+ messages in thread
From: Vincent Legoll @ 2016-08-19 14:15 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Hello,

On Fri, Aug 19, 2016 at 4:03 PM, Julien Lepiller <julien@lepiller.eu> wrote:
> Does that mean I need to add an entry to the manual myself (if so, could
> you tell me what file to edit?)

I think that would be doc/guix.texi
in http://git.savannah.gnu.org/cgit/guix.git

-- 
Vincent Legoll

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-19 14:15       ` Vincent Legoll
@ 2016-08-19 14:31         ` Julien Lepiller
  2016-08-26 10:51           ` Andy Wingo
  2016-08-29 15:06           ` Ludovic Courtès
  0 siblings, 2 replies; 12+ messages in thread
From: Julien Lepiller @ 2016-08-19 14:31 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

On Fri, 19 Aug 2016 16:15:48 +0200
Vincent Legoll <vincent.legoll@gmail.com> wrote:

> Hello,
> 
> On Fri, Aug 19, 2016 at 4:03 PM, Julien Lepiller <julien@lepiller.eu>
> wrote:
> > Does that mean I need to add an entry to the manual myself (if so,
> > could you tell me what file to edit?)  
> 
> I think that would be doc/guix.texi
> in http://git.savannah.gnu.org/cgit/guix.git
> 

Thank you, here is the patch with the documentation.

[-- Attachment #2: 0001-services-Add-openssh.patch --]
[-- Type: text/x-patch, Size: 9932 bytes --]

From 070513c1768763c80cad47832f895320fcc223be Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Fri, 5 Aug 2016 15:20:15 +0200
Subject: [PATCH] services: Add openssh

* gnu/packages/ssh.scm: Openssh reads its configuration from /etc
* gnu/services/ssh.scm: Add openssh-service
* doc/guix.texi (Networking Services): Document 'openssh-services'.
---
 doc/guix.texi        |  34 +++++++++++++
 gnu/packages/ssh.scm |   3 +-
 gnu/services/ssh.scm | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 174 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 5330238..6be91ee 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8042,6 +8042,40 @@ root.
 The other options should be self-descriptive.
 @end deffn
 
+@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @
+       [#:port-number 22] [#:root-login "without-password"] @
+       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
+       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
+       [#:x11-forwarding? #f] [#:protocol-number "2"]
+"Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
+@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
+understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
+be one of \"1\", \"2\" or \"1,2\".
+
+@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and
+@var{no}. It is used to allow root login through ssh. @var{without-password}
+means that root login is allowed, except when loging with a password (eg: a
+public key).
+
+When @var{allow-empty-passwords?} is true, users with empty passwords may log
+in. When false, they may not.
+
+When @var{password-authentication?} is true, users may log in with their
+password. When false, they have to use other means of authentication.
+
+When @var{pubkey-authentication?} is true, users may log in using public key
+authentication. When false, users have to use other means of authentication.
+Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only
+by protocol 2.
+
+When @var{rsa-authentication?} is true, users may log in using pure RSA
+authentication. When false, users have to use other means of authentication.
+This is used only by protocol 1.
+
+When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work.
+
+@end deffn
+
 @deffn {Scheme Procedure} dropbear-service [@var{config}]
 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
 daemon} with the given @var{config}, a @code{<dropbear-configuration>}
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index 16cd6e2..457e78b 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.")
              ("zlib" ,zlib)
              ("xauth" ,xauth)))                   ;for 'ssh -X' and 'ssh -Y'
    (arguments
-    `(#:test-target "tests"
+    `(#:configure-flags `("--sysconfdir=/etc/ssh")
+      #:test-target "tests"
       #:phases
       (modify-phases %standard-phases
         (add-after 'configure 'reset-/var/empty
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9a7ea0f..60b9cec 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -19,9 +19,11 @@
 
 (define-module (gnu services ssh)
   #:use-module (gnu packages ssh)
+  #:use-module (gnu packages admin)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system pam)
+  #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix records)
   #:use-module (srfi srfi-26)
@@ -30,6 +32,11 @@
             lsh-service
             lsh-service-type
 
+            openssh-configuration
+            openssh-configuration?
+            openssh-service-type
+            openssh-service
+
             dropbear-configuration
             dropbear-configuration?
             dropbear-service-type
@@ -244,7 +251,137 @@ The other options should be self-descriptive."
                                public-key-authentication?)
                               (initialize? initialize?))))
 
-\f
+;;;
+;;; OpenSSH.
+;;;
+
+(define-record-type* <openssh-configuration>
+  openssh-configuration make-openssh-configuration
+  openssh-configuration?
+  (pidfile               openssh-configuration-pidfile
+                         (default "/var/run/sshd.pid"))
+  (port-number           openssh-configuration-port-number
+                         (default 22))
+  (root-login            openssh-configuration-root-login
+                         (default "without-password"))
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
+                          (default #f))
+  (password-authentication? openssh-configuration-password-authentication?
+                            (default #t))
+  (pubkey-authentication? openssh-configuration-pubkey-authentication?
+                            (default #t))
+  (rsa-authentication?   openssh-configuration-rsa-authentication?
+                            (default #t))
+  (x11-forwarding?       openssh-configuration-x11-forwarding?
+                            (default #f))
+  (protocol-number       openssh-configuration-protocol-number
+                         (default "2")))
+
+(define %openssh-accounts
+  (list (user-group (name "sshd") (system? #t))
+        (user-account
+          (name "sshd")
+          (group "sshd")
+          (system? #t)
+          (comment "sshd privilege separation user")
+          (home-directory "/var/run/sshd")
+          (shell #~(string-append #$shadow "/sbin/nologin")))))
+
+(define (openssh-activation config)
+  "Return the activation GEXP for CONFIG."
+  #~(begin
+      (mkdir-p "/etc/ssh")
+      (mkdir-p (basename #$(openssh-configuration-pidfile config)))
+      (system* (string-append #$openssh "/bin/ssh-keygen") "-A")
+      (call-with-output-file "/etc/ssh/sshd_config"
+         (lambda (port)
+           (display
+             "# Generated by 'openssh-service'.\n"
+             port)
+           (format port "Protocol ~a\n"
+              #$(openssh-configuration-protocol-number config))
+           (format port "Port ~a\n" 
+              #$(number->string (openssh-configuration-port-number config)))
+           (format port "PermitRootLogin ~a\n"
+              #$(openssh-configuration-root-login config))
+           (format port "PermitEmptyPasswords ~a\n"
+              #$(if (openssh-configuration-allow-empty-passwords? config)
+                    "yes" "no"))
+           (format port "PasswordAuthentication ~a\n"
+              #$(if (openssh-configuration-password-authentication? config)
+                    "yes" "no"))
+           (format port "PubkeyAuthentication ~a\n"
+              #$(if (openssh-configuration-pubkey-authentication? config)
+                    "yes" "no"))
+           (format port "RSAAuthentication ~a\n"
+              #$(if (openssh-configuration-rsa-authentication? config)
+                    "yes" "no"))
+           (format port "X11Forwarding ~a\n"
+              #$(if (openssh-configuration-x11-forwarding? config)
+                    "yes" "no"))
+           (format port "PidFile ~a\n"
+              #$(openssh-configuration-pidfile config))))))
+
+(define (openssh-shepherd-service config)
+  "Return a <shepherd-service> for openssh with CONFIG."
+
+  (define pid-file
+    (openssh-configuration-pidfile config))
+
+  (define openssh-command
+    #~(list (string-append #$openssh "/sbin/sshd")
+            "-D"))
+
+  (define requires
+        '(networking syslogd))
+
+  (list (shepherd-service
+         (documentation "Openssh SSH server.")
+         (requirement requires)
+         (provision '(ssh-daemon))
+         (start #~(make-forkexec-constructor #$openssh-command
+                                             #:pid-file #$pid-file))
+         (stop #~(make-kill-destructor)))))
+
+(define openssh-service-type
+  (service-type (name 'openssh)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          openssh-shepherd-service)
+                       (service-extension activation-service-type
+                                          openssh-activation)
+                       (service-extension account-service-type
+                                          (const %openssh-accounts))))))
+
+(define* (openssh-service #:optional (config (openssh-configuration)))
+  "Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
+@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
+understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
+be one of \"1\", \"2\" or \"1,2\".
+
+@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and
+@var{no}. It is used to allow root login through ssh. @var{without-password}
+means that root login is allowed, except when loging with a password (eg: a
+public key).
+
+When @var{allow-empty-passwords?} is true, users with empty passwords may log
+in. When false, they may not.
+
+When @var{password-authentication?} is true, users may log in with their
+password. When false, they have to use other means of authentication.
+
+When @var{pubkey-authentication?} is true, users may log in using public key
+authentication. When false, users have to use other means of authentication.
+Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only
+by protocol 2.
+
+When @var{rsa-authentication?} is true, users may log in using pure RSA
+authentication. When false, users have to use other means of authentication.
+This is used only by protocol 1.
+
+When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work."
+  (service openssh-service-type config))
+
 ;;;
 ;;; Dropbear.
 ;;;
-- 
2.9.3


^ permalink raw reply related	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-19 14:31         ` Julien Lepiller
@ 2016-08-26 10:51           ` Andy Wingo
  2016-09-26 16:42             ` Julien Lepiller
  2016-08-29 15:06           ` Ludovic Courtès
  1 sibling, 1 reply; 12+ messages in thread
From: Andy Wingo @ 2016-08-26 10:51 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Hi Julien,

Thanks for the documentation update!

On Fri 19 Aug 2016 16:31, Julien Lepiller <julien@lepiller.eu> writes:

> +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @
> +       [#:port-number 22] [#:root-login "without-password"] @
> +       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
> +       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
> +       [#:x11-forwarding? #f] [#:protocol-number "2"]
> +"Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
> +@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
> +understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
> +be one of \"1\", \"2\" or \"1,2\".
> +
> +@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and
> +@var{no}. It is used to allow root login through ssh. @var{without-password}
> +means that root login is allowed, except when loging with a password (eg: a
> +public key).

The variable needs to be changed to @var{root-login} (and I think
probably @var{permit-root-login} would be more expected), and probably
"without-password" should be a symbol rather than a string.  In general
I think naming the keywords after the upstream options is going to be
the least confusing thing for users.  Consider changing from
yes/no/without-password to #t/#f/without-password, and renaming the
option to #:permit-root-login?.  Consider requiring that the protocol
number be either 1 or 2.  In general we want to make errors happen
early, when building the OS, rather than when the OS is booted.

WDYT?

Andy

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-19 14:31         ` Julien Lepiller
  2016-08-26 10:51           ` Andy Wingo
@ 2016-08-29 15:06           ` Ludovic Courtès
  1 sibling, 0 replies; 12+ messages in thread
From: Ludovic Courtès @ 2016-08-29 15:06 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Hi Julien,

I just discovered this patch as I go through my backlog, which is fun
because I used sshd as an example to illustrate how GuixSD services work
just a week ago.  :-)

Julien Lepiller <julien@lepiller.eu> skribis:

> +@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @

#:pid-file

> +       [#:port-number 22] [#:root-login "without-password"] @
> +       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
> +       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
> +       [#:x11-forwarding? #f] [#:protocol-number "2"]

I agree with Andy’s latest comments regarding naming.

Also, make sure to consistently use question marks for Boolean options,
as in #:allow-empty-passwords?.

Last thing, I would prefer to expose and document
<openssh-configuration>, as is done for Dropbear.  We should encourage
this style now, IMO.

(In commit 39012aab3333868d5ab3b39c95682f95212437e2 I enabled PAM
support in OpenSSH, though it’s off by default; maybe in a future patch
we can add #:pam-support?.)

> --- a/gnu/packages/ssh.scm
> +++ b/gnu/packages/ssh.scm
> @@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.")
>               ("zlib" ,zlib)
>               ("xauth" ,xauth)))                   ;for 'ssh -X' and 'ssh -Y'
>     (arguments
> -    `(#:test-target "tests"
> +    `(#:configure-flags `("--sysconfdir=/etc/ssh")
> +      #:test-target "tests"

I committed this part independently as
af493726ce16483bd09ed7f73028bab3294131e2.  :-)

> +When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work."

@option{-X} and @option{-Y}.

These are all cosmetic details.  If you prefer I can do it on your
behalf, just let me know; otherwise, please send an updated patch.

Thank you for your work!

Ludo’.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-08-26 10:51           ` Andy Wingo
@ 2016-09-26 16:42             ` Julien Lepiller
  2016-09-29 21:15               ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Julien Lepiller @ 2016-09-26 16:42 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 2104 bytes --]

On Fri, 26 Aug 2016 12:51:56 +0200
Andy Wingo <wingo@igalia.com> wrote:

> Hi Julien,
> 
> Thanks for the documentation update!
> 
> On Fri 19 Aug 2016 16:31, Julien Lepiller <julien@lepiller.eu> writes:
> 
> > +@deffn {Scheme Procedure} openssh-service [#:pidfile
> > "/var/run/sshd.pid"] @
> > +       [#:port-number 22] [#:root-login "without-password"] @
> > +       [#:allow-empty-passwords #f] [#:password-authentication?
> > #t] @
> > +       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
> > +       [#:x11-forwarding? #f] [#:protocol-number "2"]
> > +"Run the @command{sshd} program from @var{openssh} on port
> > @var{port-number}. +@command{sshd} runs an ssh daemon and writes
> > its PID to @var{pidfile}. It +understands ssh protocol
> > @var{protocol-number}. The @var{protocol-number} can +be one of
> > \"1\", \"2\" or \"1,2\". +
> > +@var{PermitRootLogin} takes one of @var{yes},
> > @var{without-password} and +@var{no}. It is used to allow root
> > login through ssh. @var{without-password} +means that root login is
> > allowed, except when loging with a password (eg: a +public key).  
> 
> The variable needs to be changed to @var{root-login} (and I think
> probably @var{permit-root-login} would be more expected), and probably
> "without-password" should be a symbol rather than a string.  In
> general I think naming the keywords after the upstream options is
> going to be the least confusing thing for users.  Consider changing
> from yes/no/without-password to #t/#f/without-password, and renaming
> the option to #:permit-root-login?.  Consider requiring that the
> protocol number be either 1 or 2.  In general we want to make errors
> happen early, when building the OS, rather than when the OS is booted.

Sorry for the delay, here is a new version of the patch.

Meanwhile, sysconfdir was set to /etc, but I changed this for /etc/ssh,
because openssh looks for its configuration and other files (about 10)
directly in sysconfdir, not a subdirectory. Also, I fixed a mistake in
openssh-service (it was not following what the doc said).

> 
> WDYT?
> 
> Andy


[-- Attachment #2: 0001-services-Add-openssh.patch --]
[-- Type: text/x-patch, Size: 9701 bytes --]

From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Fri, 5 Aug 2016 15:20:15 +0200
Subject: [PATCH] services: Add openssh

* gnu/packages/ssh.scm: Openssh reads its configuration from /etc
* gnu/services/ssh.scm: Add openssh-service
* doc/guix.texi (Networking Services): Document 'openssh-services'.
---
 doc/guix.texi        |  34 ++++++++++++++
 gnu/packages/ssh.scm |   2 +-
 gnu/services/ssh.scm | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 161 insertions(+), 2 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 808fbdc..bcd8b6b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8199,6 +8199,40 @@ root.
 The other options should be self-descriptive.
 @end deffn
 
+@deffn {Scheme Procedure} openssh-service [#:pidfile "/var/run/sshd.pid"] @
+       [#:port-number 22] [#:permit-root-login 'without-password] @
+       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
+       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
+       [#:x11-forwarding? #f] [#:protocol-number "2"]
+"Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
+@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
+understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
+be either 1 or 2.
+
+@var{permit-root-login} takes one of @var{yes}, @var{without-password} and
+@var{no}. It is used to allow root login through ssh. @var{without-password}
+means that root login is allowed, except when loging with a password (eg: a
+public key).
+
+When @var{allow-empty-passwords?} is true, users with empty passwords may log
+in. When false, they may not.
+
+When @var{password-authentication?} is true, users may log in with their
+password. When false, they have to use other means of authentication.
+
+When @var{pubkey-authentication?} is true, users may log in using public key
+authentication. When false, users have to use other means of authentication.
+Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only
+by protocol 2.
+
+When @var{rsa-authentication?} is true, users may log in using pure RSA
+authentication. When false, users have to use other means of authentication.
+This is used only by protocol 1.
+
+When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work.
+
+@end deffn
+
 @deffn {Scheme Procedure} dropbear-service [@var{config}]
 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
 daemon} with the given @var{config}, a @code{<dropbear-configuration>}
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index b2612a4..88bfd06 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -144,7 +144,7 @@ a server that supports the SSH-2 protocol.")
              ("xauth" ,xauth)))                   ;for 'ssh -X' and 'ssh -Y'
    (arguments
     `(#:test-target "tests"
-      #:configure-flags '("--sysconfdir=/etc"
+      #:configure-flags '("--sysconfdir=/etc/ssh"
 
                           ;; Default value of 'PATH' used by sshd.
                           "--with-default-path=/run/current-system/profile/bin"
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 462988c..5484463 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -19,9 +19,11 @@
 
 (define-module (gnu services ssh)
   #:use-module (gnu packages ssh)
+  #:use-module (gnu packages admin)
   #:use-module (gnu services)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system pam)
+  #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix records)
   #:use-module (srfi srfi-26)
@@ -30,6 +32,11 @@
             lsh-service
             lsh-service-type
 
+            openssh-configuration
+            openssh-configuration?
+            openssh-service-type
+            openssh-service
+
             dropbear-configuration
             dropbear-configuration?
             dropbear-service-type
@@ -244,7 +251,125 @@ The other options should be self-descriptive."
                                public-key-authentication?)
                               (initialize? initialize?))))
 
-\f
+;;;
+;;; OpenSSH.
+;;;
+
+(define-record-type* <openssh-configuration>
+  openssh-configuration make-openssh-configuration
+  openssh-configuration?
+  (pidfile               openssh-configuration-pidfile)
+  (port-number           openssh-configuration-port-number)
+  (permit-root-login?    openssh-configuration-permit-root-login)
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?)
+  (password-authentication? openssh-configuration-password-authentication?)
+  (pubkey-authentication? openssh-configuration-pubkey-authentication?)
+  (rsa-authentication?   openssh-configuration-rsa-authentication?)
+  (x11-forwarding?       openssh-configuration-x11-forwarding?)
+  (protocol-number       openssh-configuration-protocol-number))
+
+(define %openssh-accounts
+  (list (user-group (name "sshd") (system? #t))
+        (user-account
+          (name "sshd")
+          (group "sshd")
+          (system? #t)
+          (comment "sshd privilege separation user")
+          (home-directory "/var/run/sshd")
+          (shell #~(string-append #$shadow "/sbin/nologin")))))
+
+(define (openssh-activation config)
+  "Return the activation GEXP for CONFIG."
+  #~(begin
+      (mkdir-p "/etc/ssh")
+      (mkdir-p (basename #$(openssh-configuration-pidfile config)))
+      (system* (string-append #$openssh "/bin/ssh-keygen") "-A")
+      (call-with-output-file "/etc/ssh/sshd_config"
+         (lambda (port)
+           (display
+             "# Generated by 'openssh-service'.\n"
+             port)
+           (format port "Protocol ~a\n"
+              #$(if (eq? (openssh-configuration-protocol-number config) 1)
+                     "1" "2"))
+           (format port "Port ~a\n" 
+              #$(number->string (openssh-configuration-port-number config)))
+           (format port "PermitRootLogin ~a\n"
+              #$(if (eq? (openssh-configuration-permit-root-login config) #t)
+                    "yes" (if (eq?
+                              (openssh-configuration-permit-root-login config)
+                               #f)
+                               "no" "without-password")))
+           (format port "PermitEmptyPasswords ~a\n"
+              #$(if (openssh-configuration-allow-empty-passwords? config)
+                    "yes" "no"))
+           (format port "PasswordAuthentication ~a\n"
+              #$(if (openssh-configuration-password-authentication? config)
+                    "yes" "no"))
+           (format port "PubkeyAuthentication ~a\n"
+              #$(if (openssh-configuration-pubkey-authentication? config)
+                    "yes" "no"))
+           (format port "RSAAuthentication ~a\n"
+              #$(if (openssh-configuration-rsa-authentication? config)
+                    "yes" "no"))
+           (format port "X11Forwarding ~a\n"
+              #$(if (openssh-configuration-x11-forwarding? config)
+                    "yes" "no"))
+           (format port "PidFile ~a\n"
+              #$(openssh-configuration-pidfile config))))))
+
+(define (openssh-shepherd-service config)
+  "Return a <shepherd-service> for openssh with CONFIG."
+
+  (define pid-file
+    (openssh-configuration-pidfile config))
+
+  (define openssh-command
+    #~(list (string-append #$openssh "/sbin/sshd")
+            "-D"))
+
+  (define requires
+        '(networking syslogd))
+
+  (list (shepherd-service
+         (documentation "Openssh SSH server.")
+         (requirement requires)
+         (provision '(ssh-daemon))
+         (start #~(make-forkexec-constructor #$openssh-command
+                                             #:pid-file #$pid-file))
+         (stop #~(make-kill-destructor)))))
+
+(define openssh-service-type
+  (service-type (name 'openssh)
+                (extensions
+                 (list (service-extension shepherd-root-service-type
+                                          openssh-shepherd-service)
+                       (service-extension activation-service-type
+                                          openssh-activation)
+                       (service-extension account-service-type
+                                          (const %openssh-accounts))))))
+
+(define* (openssh-service #:key 
+                          (pidfile "/var/run/sshd.pid")
+                          (port-number 22)
+                          (permit-root-login? 'without-password)
+                          (allow-empty-passwords? #f)
+                          (password-authentication? #t)
+                          (pubkey-authentication? #t)
+                          (rsa-authentication? #t)
+                          (x11-forwarding? #f)
+                          (protocol-number 2))
+  (service openssh-service-type (openssh-configuration (pidfile pidfile)
+                                 (port-number port-number)
+                                 (permit-root-login? permit-root-login?)
+                                 (allow-empty-passwords? allow-empty-passwords?)
+                                 (password-authentication? password-authentication?)
+                                 (pubkey-authentication? pubkey-authentication?)
+                                 (rsa-authentication? rsa-authentication?)
+                                 (x11-forwarding? x11-forwarding?)
+                                 (protocol-number protocol-number))))
+
+                                                                                
 ;;;
 ;;; Dropbear.
 ;;;
-- 
2.10.0


^ permalink raw reply related	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-09-26 16:42             ` Julien Lepiller
@ 2016-09-29 21:15               ` Ludovic Courtès
  2016-10-02 22:42                 ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2016-09-29 21:15 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

Hi Julien,

Julien Lepiller <julien@lepiller.eu> skribis:

> Sorry for the delay, here is a new version of the patch.
>
> Meanwhile, sysconfdir was set to /etc, but I changed this for /etc/ssh,
> because openssh looks for its configuration and other files (about 10)
> directly in sysconfdir, not a subdirectory. Also, I fixed a mistake in
> openssh-service (it was not following what the doc said).

[...]

> From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001
> From: Julien Lepiller <julien@lepiller.eu>
> Date: Fri, 5 Aug 2016 15:20:15 +0200
> Subject: [PATCH] services: Add openssh
>
> * gnu/packages/ssh.scm: Openssh reads its configuration from /etc
> * gnu/services/ssh.scm: Add openssh-service
> * doc/guix.texi (Networking Services): Document 'openssh-services'.

Pushed as 071fbb42a6e2dcdfd566cba9525e6ae6a4dfdc7d with a few changes.
In particular, I changed the config file to be passed as a command-line
option rather than added to /etc/ssh (this is generally preferable.)

Eventually I’d like to document and expose of ‘openssh-configuration’.

Thanks!

Ludo’.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-09-29 21:15               ` Ludovic Courtès
@ 2016-10-02 22:42                 ` Ludovic Courtès
  2016-10-03 16:01                   ` Ludovic Courtès
  0 siblings, 1 reply; 12+ messages in thread
From: Ludovic Courtès @ 2016-10-02 22:42 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

ludo@gnu.org (Ludovic Courtès) skribis:

> Julien Lepiller <julien@lepiller.eu> skribis:

[...]

>> From cf879a47c8f9b0733fac906cd4bd28dc646aa9fb Mon Sep 17 00:00:00 2001
>> From: Julien Lepiller <julien@lepiller.eu>
>> Date: Fri, 5 Aug 2016 15:20:15 +0200
>> Subject: [PATCH] services: Add openssh
>>
>> * gnu/packages/ssh.scm: Openssh reads its configuration from /etc
>> * gnu/services/ssh.scm: Add openssh-service
>> * doc/guix.texi (Networking Services): Document 'openssh-services'.
>
> Pushed as 071fbb42a6e2dcdfd566cba9525e6ae6a4dfdc7d with a few changes.
> In particular, I changed the config file to be passed as a command-line
> option rather than added to /etc/ssh (this is generally preferable.)
>
> Eventually I’d like to document and expose of ‘openssh-configuration’.

Done in d8f3128119d32bcc186c8a1fe15b037bba25b4b8, let me know what you
think!

I also added a basic system test in
d5b0c9024ed174907aed4816b2607ada814a035c.  It makes sure that sshd is
started and that we can connect to it as root with an empty password, as
specified in the system config.

Ludo’.

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [PATCH] openssh service
  2016-10-02 22:42                 ` Ludovic Courtès
@ 2016-10-03 16:01                   ` Ludovic Courtès
  0 siblings, 0 replies; 12+ messages in thread
From: Ludovic Courtès @ 2016-10-03 16:01 UTC (permalink / raw)
  To: Julien Lepiller; +Cc: guix-devel

ludo@gnu.org (Ludovic Courtès) skribis:

> I also added a basic system test in
> d5b0c9024ed174907aed4816b2607ada814a035c.  It makes sure that sshd is
> started and that we can connect to it as root with an empty password, as
> specified in the system config.

Commit 2b4363891c70bbf641bff8ff0a6fb7526babd5b9 extends the test for
Dropbear.  :-)

(lshd is harder to test because it needs keyboard input to generate the
seed, or we’d need to provide it with a dummy seed or something.)

Ludo’.

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2016-10-03 16:01 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-08-05 12:18 [PATCH] openssh service Julien Lepiller
2016-08-05 13:47 ` Andy Wingo
2016-08-05 14:20   ` Julien Lepiller
2016-08-19 14:03     ` Julien Lepiller
2016-08-19 14:15       ` Vincent Legoll
2016-08-19 14:31         ` Julien Lepiller
2016-08-26 10:51           ` Andy Wingo
2016-09-26 16:42             ` Julien Lepiller
2016-09-29 21:15               ` Ludovic Courtès
2016-10-02 22:42                 ` Ludovic Courtès
2016-10-03 16:01                   ` Ludovic Courtès
2016-08-29 15:06           ` Ludovic Courtès

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.