Acknowledgement sent
to Christopher Allan Webber <cwebber@dustycloud.org>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Fri, 28 Apr 2017 14:53:02 GMT) (full text, mbox, link).
From: Christopher Allan Webber <cwebber@dustycloud.org>
To: bug-guix@gnu.org
Subject: openssh: root 'without-password & password-authentication #f both
breaks service
Date: Fri, 28 Apr 2017 09:52:12 -0500
I wanted to permit root logins but only permit public key authentication
in my openssh configuration. This was my original assumption of how to
do it:
(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)
(password-authentication? #f)))
However, for whatever reason, openssh fails to start with this
combination. However, it turns out this is redundant, since the
configuration is already only permitting with public key authentication.
(service openssh-service-type
(openssh-configuration
(permit-root-login #t)
(password-authentication? #f)))
This route is sufficient.
However maybe we should prevent people from accidentally causing openssh
to not start. Here's a suggested route... though I haven't tested it:
#+BEGIN_SRC diff
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9917c311c..f1f2ab3dc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -342,7 +342,13 @@ The other options should be self-descriptive."
#$(match (openssh-configuration-permit-root-login config)
(#t "yes")
(#f "no")
- ('without-password "without-password")))
+ ('without-password
+ ;; If we've already disabled password-authentication, this
+ ;; is redundant, and even stops the openssh server from
+ ;; starting up
+ (if (openssh-configuration-password-authentication? config)
+ "without-password"
+ "yes"))))
(format port "PermitEmptyPasswords ~a\n"
#$(if (openssh-configuration-allow-empty-passwords? config)
"yes" "no"))
#+END_SRC
Information forwarded
to bug-guix@gnu.org: bug#26696; Package guix.
(Fri, 28 Apr 2017 19:30:03 GMT) (full text, mbox, link).
On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote:
> I wanted to permit root logins but only permit public key authentication
> in my openssh configuration. This was my original assumption of how to
> do it:
>
> (service openssh-service-type
> (openssh-configuration
> (permit-root-login 'without-password)
> (password-authentication? #f)))
>
> However, for whatever reason, openssh fails to start with this
> combination. However, it turns out this is redundant, since the
> configuration is already only permitting with public key authentication.
Do you still have the generated sshd_config files handy, so we can
compare them and figure out what's broken?
Christopher Allan Webber <cwebber@dustycloud.org> writes:
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -342,7 +342,13 @@ The other options should be self-descriptive."
> #$(match (openssh-configuration-permit-root-login config)
> (#t "yes")
> (#f "no")
> - ('without-password "without-password")))
> + ('without-password
> + ;; If we've already disabled password-authentication, this
> + ;; is redundant, and even stops the openssh server from
> + ;; starting up
> + (if (openssh-configuration-password-authentication? config)
> + "without-password"
> + "yes"))))
> (format port "PermitEmptyPasswords ~a\n"
> #$(if (openssh-configuration-allow-empty-passwords? config)
> "yes" "no"))
> #+END_SRC
>
Would it be better to fail with an error here? I'd be a little confused
and disturbed if I specified 'without-password expecting to get
"without-password" for the value of PermitRootLogin, but later found
that the OpenSSH daemon's config file contained the un-requested value
"yes", even if the end result happens to have the desired effect.
However, if this special case is clearly documented in the Guix manual,
then I'd be less off-put by it.
--
Chris
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.