Received: (at 26696) by debbugs.gnu.org; 30 Apr 2017 19:53:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Apr 30 15:53:13 2017
Received: from localhost ([127.0.0.1]:48091 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1d4uu9-0001QC-1z
for submit <at> debbugs.gnu.org; Sun, 30 Apr 2017 15:53:13 -0400
Received: from mail-pf0-f172.google.com ([209.85.192.172]:35151)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <cmmarusich@HIDDEN>) id 1d4uu6-0001Py-Hk
for 26696 <at> debbugs.gnu.org; Sun, 30 Apr 2017 15:53:10 -0400
Received: by mail-pf0-f172.google.com with SMTP id v14so67870813pfd.2
for <26696 <at> debbugs.gnu.org>; Sun, 30 Apr 2017 12:53:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:to:cc:subject:references:date:in-reply-to:message-id
:user-agent:mime-version;
bh=p0SsiXwQEGQpzvF2jD8Wim5AOlfU5vOgs0b1GdTSVLo=;
b=sOmqYKE7UDRpsJdzTpNEYe+/uw9jduzenizG7R/goWlVDE2Qn5kNWGeZwx6qnjc8MQ
J92pdPMnBZDOYccKK/PubMxLihSkPt1JFR6A2EmA3eTlfF51TzfLttmdzSNDVDL2+Vpm
py2efnmks9/0CiSwNLvBDHIi/klOxAVrENX9VYuJKZmhZPdjlMWq/wD+vWNOCMYs7gp4
9lZbn0WJEfHpdQmgwUnLMdUAdHwy8yT065HWnCl2z1G/twNf3ZUagxa7ygxPYWDZnNHb
vWoP6J257OyFGu6V6/IB4UVHWvl0Y3QUCfGyshQxrDneWb0qp7Xep0prG1pbZtDkG6hE
E+Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
:message-id:user-agent:mime-version;
bh=p0SsiXwQEGQpzvF2jD8Wim5AOlfU5vOgs0b1GdTSVLo=;
b=uJ4HxPo6yzqsJlpnkUA8Uvku/GZ7He4IBaMmh22zoeVm2b15ZIOnI+llHqRmAvZnan
W6/pc2OweQUjbOiFKFXvq/gNX6nrp9hSktPMhMVABX3w/7vOy5HgAKEV6XlnsRHDqABs
Mgi8fgziqWzYUO41ii59xCwaoDrJ6XY+Xt5AmJfw74q3iX6nhhpBVH+uMSCBZQI7/Xjh
7Ii6idj/AUSFkZvE7jmkuXMW/KW8RGNEeVP9FC6VkNl603ZYgUwhd4DHEdrOW6slihr5
RjF2ovfaHKI3IZsaAlCA9tFH5U2z0sC3c/plUb7ZyE/XDtLitikwJd8bDqJEbYvxVLsj
OMAQ==
X-Gm-Message-State: AN3rC/7CLOV63KXDZ1HPeI67g9Lo74CX2+Ov15Btxr/5Oej2J36TVxcD
BslkrW0MnWIbHg==
X-Received: by 10.98.93.147 with SMTP id n19mr23046458pfj.226.1493581984345;
Sun, 30 Apr 2017 12:53:04 -0700 (PDT)
Received: from garuda (c-24-18-189-215.hsd1.wa.comcast.net. [24.18.189.215])
by smtp.gmail.com with ESMTPSA id o124sm18987009pfb.92.2017.04.30.12.53.03
(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
Sun, 30 Apr 2017 12:53:03 -0700 (PDT)
From: Chris Marusich <cmmarusich@HIDDEN>
To: Christopher Allan Webber <cwebber@HIDDEN>
Subject: Re: bug#26696: openssh: root 'without-password &
password-authentication #f both breaks service
References: <87h918twir.fsf@HIDDEN>
Date: Sun, 30 Apr 2017 12:53:02 -0700
In-Reply-To: <87h918twir.fsf@HIDDEN> (Christopher Allan Webber's
message of "Fri, 28 Apr 2017 09:52:12 -0500")
Message-ID: <87vaplfza9.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha256; protocol="application/pgp-signature"
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 26696
Cc: 26696 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Christopher Allan Webber <cwebber@HIDDEN> writes:
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -342,7 +342,13 @@ The other options should be self-descriptive."
> #$(match (openssh-configuration-permit-root-login con=
fig)
> (#t "yes")
> (#f "no")
> - ('without-password "without-password")))
> + ('without-password
> + ;; If we've already disabled password-authentica=
tion, this
> + ;; is redundant, and even stops the openssh serv=
er from
> + ;; starting up
> + (if (openssh-configuration-password-authenticati=
on? config)
> + "without-password"
> + "yes"))))
> (format port "PermitEmptyPasswords ~a\n"
> #$(if (openssh-configuration-allow-empty-passwords? c=
onfig)
> "yes" "no"))
> #+END_SRC
>
Would it be better to fail with an error here? I'd be a little confused
and disturbed if I specified 'without-password expecting to get
"without-password" for the value of PermitRootLogin, but later found
that the OpenSSH daemon's config file contained the un-requested value
"yes", even if the end result happens to have the desired effect.
However, if this special case is clearly documented in the Guix manual,
then I'd be less off-put by it.
=2D-=20
Chris
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGQJ4ACgkQ3UCaFdgi
Rp2Y+A//b6Sqlb/akpsYc84dJGG3QDRYFA1pk9qW3s6h1zlta9J/7ELkQqTdFtYV
ML07HpKc/kfkU1wnBENyJamHFBgbB7KTmqXOuJvBbR1yH6jda1PwiSO1Z4bnvDa2
Bo5ZN1tUZV5S10xd+R3D0zsSDRsRqwf8QEnrQxAaCg/4V6zsfc0CelgZnBnmKbUM
JL9Sp5rYg2BPgI5cjHjzQ345LyX4E62r66cwNOtRbwVae9gD88wYbLBaEI1OLBuS
M8ZFDQXgbHRpAWZwveKSBGqmgxwrQytOqTMG0LM77AkYyOnjIjJfpJlBGmnTFqdf
xLml6cmWa2B/1XM4o/wS73B9WtfoomzmTyKDgrY4Bx2csKNCgAMzix9iG5P2Ex/q
nv9WOytmb6o24MJbGtbzPYxGdMEc9aA0YXCxU0hkY8tB6PhaiP5xAPM/yTh1J7I9
a3lj/OTXcTlMhL0tuzTVJcRf+gRhB9+0rQdI3bwOdyCJeXf6m6Vh6UGG9FhOOk7k
qsz6NQ2YMokEBUZvaA0TfkhwfRpRr1ilnIL+1jVZot5oW2GTzPYWJzPTKCcQVff2
JKezJm8+/PU+vNmGlm1PNn1Q3rq1oxpIwnHyqla0osR745YrMFnchebvJTkHC7H2
3FfiQyWD2sF4ZkdNFf3+aclfLbyeSk003kVWMrwcm3Zs6+X6KAo=
=DUuQ
-----END PGP SIGNATURE-----
--=-=-=--
bug-guix@HIDDEN:bug#26696; Package guix.
Full text available.Received: (at 26696) by debbugs.gnu.org; 28 Apr 2017 19:29:48 +0000 From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 15:29:48 2017 Received: from localhost ([127.0.0.1]:45058 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>) id 1d4BaN-00082e-3t for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 15:29:48 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:37217) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <leo@HIDDEN>) id 1d4BaL-00082X-Po for 26696 <at> debbugs.gnu.org; Fri, 28 Apr 2017 15:29:46 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B080A207AA; Fri, 28 Apr 2017 15:29:45 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute4.internal (MEProxy); Fri, 28 Apr 2017 15:29:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=cc:content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=u5ypr0OAujVdPyfv1Ep3/LVUz00xPe9ED1D/UN pnGBc=; b=Endm3refnvo4lnCYoGUGbhsxb+jI2X8FA+bHWi52hY1LPhPnz4bOx0 q48M8IIBglbveL+hLTCWhoopDcGCE8Z0lS0WLizUqBpYHduI5pAebQhSHGAbJhQa Is1qan2AO8ar4KMvl96VppBB+HzlKPeaQHCIZ5xYxpki/zNTH6N0U= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc:x-sasl-enc; s=fm1; bh=u5ypr0OAujVdPyfv1E p3/LVUz00xPe9ED1D/UNpnGBc=; b=LTSfQR+p+A8Ivhy8jdAq9+f+idXDWLEJoe IEYxrbM3cRZwqyFU1tvAe8ymZxZG0YwNK8TK7YEh5pRJj4N6opc0lmSxOHafWt+z WDfNopMXfTCuiO1Q/32kSIKp6ycA2rm6nothIWwIi274JocWZ+F5PhZ7hCYMDO4s kjY11V90Maf4OyteUGUo3t9/AiG6YJcvZ8KbmfBI95eDWY4UeK5EvQS+IOaofwie wlxJLUoCmJYN1YpfElDpXGvA8nIXW6WLmVb2oGbCc7/DgZON/Rmk2eBWEdSk95Ge ONiGV1Qhq9XxHhTgOLIS79LtSvD/OWf/o/G5RjJpoa4G8P2QJ1Lw== X-ME-Sender: <xms:KZgDWSBnXPgkkkuzy0j0EXaDoz77N4byfSblYazczLqbEqBqdxChWA> X-Sasl-enc: DhEB+wTIB+XpY5d5P0ko3vIQkOtXb59AuCGL3EP6WAep 1493407785 Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70]) by mail.messagingengine.com (Postfix) with ESMTPA id 70613246D1; Fri, 28 Apr 2017 15:29:45 -0400 (EDT) Date: Fri, 28 Apr 2017 15:29:44 -0400 From: Leo Famulari <leo@HIDDEN> To: Christopher Allan Webber <cwebber@HIDDEN> Subject: Re: bug#26696: openssh: root 'without-password & password-authentication #f both breaks service Message-ID: <20170428192944.GC6736@jasmine> References: <87h918twir.fsf@HIDDEN> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="9Ek0hoCL9XbhcSqy" Content-Disposition: inline In-Reply-To: <87h918twir.fsf@HIDDEN> User-Agent: Mutt/1.8.2 (2017-04-18) X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 26696 Cc: 26696 <at> debbugs.gnu.org X-BeenThere: debbugs-submit <at> debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: <debbugs-submit.debbugs.gnu.org> List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe> List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/> List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org> List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help> List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe> Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org> X-Spam-Score: -0.7 (/) --9Ek0hoCL9XbhcSqy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote: > I wanted to permit root logins but only permit public key authentication > in my openssh configuration. This was my original assumption of how to > do it: >=20 > (service openssh-service-type > (openssh-configuration > (permit-root-login 'without-password) > (password-authentication? #f))) >=20 > However, for whatever reason, openssh fails to start with this > combination. However, it turns out this is redundant, since the > configuration is already only permitting with public key authentication. Do you still have the generated sshd_config files handy, so we can compare them and figure out what's broken? --9Ek0hoCL9XbhcSqy Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkDmCgACgkQJkb6MLrK fwiskA/8DjrhL0/mHJRPkM3ZNbS7hKo0622AtkrIrFTJ5usS3veIA6fahihqEDve RaHAMFrq2Muns/TuQVzqgiQVZjbIStef1sGbn/z90kP61XWX2N0+X2xBcsxso24+ CAjrKqjuZ90WrbeOEksN8fweqh/xguWtqCrnf1z/dUmM/pyNU7zmc1QYLnGV0Shw X+yMDNIN80qYpOkAbtE+qpU2WR6X86oCh5eja31jeMaENJV0Bz13rk3HUd92AzHC JBnnzenT+mWG5F3SwYUtzwYxFKPndNHVE+lleSbpTwKmyTwV9+lFtl/KRUp2qOEW WJRfYm+mWhW3lOuu1XAD1LIEtV4WF+G/JvTrPY1k0FJ7knSqI0ggZ32BtbdZRV28 GxxoE43Q4hTSfTsnBfg+X62+ej0Vzp4fwIFqQg/IUUzU8XtnKhDUvAEihQ7B1suW KN0IxrC9NLah2/UzyJOtdYe8q2RhZRmwZ2lXJi28XRPhEi4l8aQR+QG2x4kWqA6z SRMuqNpiwwcGVqjccVUdPZCdnaiLDHVHam1R09x2PvJmDA3txXhdEVNZWBKsdE1W 3nRZBWovZRH8e6N+El41AecwLqUQCsgoQKa+w142BmpTxKxhspHkIYXv/4991BMq v/LPE5XJLNRXaPuLOehto+cW7ze7JDSW/ZcxplAwdKMU2QHB8Vc= =oTHR -----END PGP SIGNATURE----- --9Ek0hoCL9XbhcSqy--
bug-guix@HIDDEN:bug#26696; Package guix.
Full text available.
Received: (at submit) by debbugs.gnu.org; 28 Apr 2017 14:52:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Apr 28 10:52:29 2017
Received: from localhost ([127.0.0.1]:44845 helo=debbugs.gnu.org)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
id 1d47G1-0007oX-3h
for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:52:29 -0400
Received: from eggs.gnu.org ([208.118.235.92]:60579)
by debbugs.gnu.org with esmtp (Exim 4.84_2)
(envelope-from <cwebber@HIDDEN>) id 1d47Fz-0007oL-D1
for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:52:27 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <cwebber@HIDDEN>) id 1d47Ft-0003fj-5t
for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:52:22 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level:
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled
version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:34622)
by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <cwebber@HIDDEN>)
id 1d47Ft-0003fX-29
for submit <at> debbugs.gnu.org; Fri, 28 Apr 2017 10:52:21 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51539)
by lists.gnu.org with esmtp (Exim 4.71)
(envelope-from <cwebber@HIDDEN>) id 1d47Fr-0000pp-TC
for bug-guix@HIDDEN; Fri, 28 Apr 2017 10:52:20 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
(envelope-from <cwebber@HIDDEN>) id 1d47Fo-0003eM-QT
for bug-guix@HIDDEN; Fri, 28 Apr 2017 10:52:19 -0400
Received: from dustycloud.org ([50.116.34.160]:60790)
by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.71) (envelope-from <cwebber@HIDDEN>)
id 1d47Fo-0003ds-L7
for bug-guix@HIDDEN; Fri, 28 Apr 2017 10:52:16 -0400
Received: from oolong (localhost [127.0.0.1])
by dustycloud.org (Postfix) with ESMTPS id 724B426632
for <bug-guix@HIDDEN>; Fri, 28 Apr 2017 10:52:12 -0400 (EDT)
User-agent: mu4e 0.9.18; emacs 25.2.1
From: Christopher Allan Webber <cwebber@HIDDEN>
To: bug-guix@HIDDEN
Subject: openssh: root 'without-password & password-authentication #f both
breaks service
Date: Fri, 28 Apr 2017 09:52:12 -0500
Message-ID: <87h918twir.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
[fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -4.0 (----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
<mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -4.0 (----)
I wanted to permit root logins but only permit public key authentication
in my openssh configuration. This was my original assumption of how to
do it:
(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)
(password-authentication? #f)))
However, for whatever reason, openssh fails to start with this
combination. However, it turns out this is redundant, since the
configuration is already only permitting with public key authentication.
(service openssh-service-type
(openssh-configuration
(permit-root-login #t)
(password-authentication? #f)))
This route is sufficient.
However maybe we should prevent people from accidentally causing openssh
to not start. Here's a suggested route... though I haven't tested it:
#+BEGIN_SRC diff
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9917c311c..f1f2ab3dc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -342,7 +342,13 @@ The other options should be self-descriptive."
#$(match (openssh-configuration-permit-root-login config)
(#t "yes")
(#f "no")
- ('without-password "without-password")))
+ ('without-password
+ ;; If we've already disabled password-authentication, this
+ ;; is redundant, and even stops the openssh server from
+ ;; starting up
+ (if (openssh-configuration-password-authentication? config)
+ "without-password"
+ "yes"))))
(format port "PermitEmptyPasswords ~a\n"
#$(if (openssh-configuration-allow-empty-passwords? config)
"yes" "no"))
#+END_SRC
Christopher Allan Webber <cwebber@HIDDEN>:bug-guix@HIDDEN.
Full text available.bug-guix@HIDDEN:bug#26696; Package guix.
Full text available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd,
1994-97 Ian Jackson.