GNU bug report logs -
#62948
Using home-ssh-agent-configuration on Ubuntu breaks login
Previous Next
Reported by: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Date: Wed, 19 Apr 2023 16:29:02 UTC
Severity: normal
Tags: patch
Done: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62948 in the body.
You can then email your comments to 62948 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#62948
; Package
guix
.
(Wed, 19 Apr 2023 16:29:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Janneke Nieuwenhuizen <janneke <at> gnu.org>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Wed, 19 Apr 2023 16:29:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
key-based login. I cannot access the logs and don't know what the
problem might be.
When, after running `guix home reconfigure', you do something like:
--8<---------------cut here---------------start------------->8---
mv .ssh/authorized_keys .ssh/authorized_keys-
cat .ssh/authorized_keys- > .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
--8<---------------cut here---------------end--------------->8---
key-based login succeeds.
A workaround would be to have home-openssh-service-type leave
~/.ssh/authorized_keys alone. However, when using
--8<---------------cut here---------------start------------->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys '())))
--8<---------------cut here---------------end--------------->8---
any existing ~/.ssh/authorized_keys file is removed and replaced by a
symlink to an empty file. I don't see how that is useful, it certainly
breaks key-based login.
Using
--8<---------------cut here---------------start------------->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys #f)))
--8<---------------cut here---------------end--------------->8---
yields a backtrace.
The attached patch fixes that and allows using (authorized-keys #f),
also making this the default.
WDYT?
Greetings,
Janneke
[0001-home-services-ssh-Support-leaving-.ssh-authorized_ke.patch (text/x-patch, inline)]
From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001
From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Date: Wed, 19 Apr 2023 16:42:50 +0200
Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys
alone.
The default was to remove any ~/.ssh/authorized_keys file and replace it with
a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix
home generated ~/.ssh/authorized_keys file does not allow login.
* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
---
doc/guix.texi | 8 +++++---
gnu/home/services/ssh.scm | 22 ++++++++++++----------
2 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..3736d24ff1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time.
Preparing this list can be relatively tedious though, which is why
@code{*unspecified*} is kept as a default.
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
Concretely, these files are concatenated and made available as
@file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..317808f616 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -186,7 +186,7 @@ (define-record-type* <home-openssh-configuration>
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
(authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
- (default '()))
+ (default #f))
(known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
(default *unspecified*))
(hosts home-openssh-configuration-hosts ;list of <openssh-host>
@@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " "))
'#$files)))))))
(define (openssh-configuration-files config)
- (let ((config (plain-file "ssh.conf"
- (openssh-configuration->string config)))
- (known-hosts (home-openssh-configuration-known-hosts config))
- (authorized-keys (file-join
- "authorized_keys"
- (home-openssh-configuration-authorized-keys config)
- "\n")))
- `((".ssh/authorized_keys" ,authorized-keys)
+ (let* ((ssh-config (plain-file "ssh.conf"
+ (openssh-configuration->string config)))
+ (known-hosts (home-openssh-configuration-known-hosts config))
+ (authorized-keys (home-openssh-configuration-authorized-keys config))
+ (authorized-keys (and
+ authorized-keys
+ (file-join "authorized_keys" authorized-keys "\n"))))
+ `(,@(if authorized-keys
+ `((".ssh/authorized_keys" ,authorized-keys))
+ '())
,@(if (unspecified? known-hosts)
'()
`((".ssh/known_hosts"
,(file-join "known_hosts" known-hosts "\n"))))
- (".ssh/config" ,config))))
+ (".ssh/config" ,ssh-config))))
(define openssh-activation
(with-imported-modules (source-module-closure
--
2.39.2
[Message part 3 (text/plain, inline)]
--
Janneke Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | AvatarĀ® https://AvatarAcademy.com
Information forwarded
to
ludo <at> gnu.org, bug-guix <at> gnu.org
:
bug#62948
; Package
guix
.
(Sun, 23 Apr 2023 07:59:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 62948 <at> debbugs.gnu.org (full text, mbox):
Information forwarded
to
paren <at> disroot.org, bug-guix <at> gnu.org
:
bug#62948
; Package
guix
.
(Tue, 25 Apr 2023 09:13:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 62948 <at> debbugs.gnu.org (full text, mbox):
Seems only one X-Debbugs-Cc header is honoured at a time, forgot them
initiially...
Information forwarded
to
andrew <at> trop.in, bug-guix <at> gnu.org
:
bug#62948
; Package
guix
.
(Tue, 25 Apr 2023 09:13:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 62948 <at> debbugs.gnu.org (full text, mbox):
Seems only one X-Debbugs-Cc header is honoured at a time, forgot them
initiially...
Added tag(s) patch.
Request was from
Janneke Nieuwenhuizen <janneke <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Sat, 29 Apr 2023 07:24:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Janneke Nieuwenhuizen <janneke <at> gnu.org>
:
You have taken responsibility.
(Wed, 24 May 2023 10:02:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Janneke Nieuwenhuizen <janneke <at> gnu.org>
:
bug acknowledged by developer.
(Wed, 24 May 2023 10:02:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 62948-done <at> debbugs.gnu.org (full text, mbox):
Janneke Nieuwenhuizen writes:
> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login. I cannot access the logs and don't know what the
> problem might be.
Pushed to master as c57693846c7c6586c6cd1b4e4002fe399e3a2c42
--
Janneke Nieuwenhuizen <janneke <at> gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | AvatarĀ® https://AvatarAcademy.com
Information forwarded
to
bug-guix <at> gnu.org
:
bug#62948
; Package
guix
.
(Thu, 15 Jun 2023 02:53:02 GMT)
Full text and
rfc822 format available.
Message #24 received at 62948 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2023-04-19 18:28, Janneke Nieuwenhuizen wrote:
> Hi,
>
> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login. I cannot access the logs and don't know what the
> problem might be.
>
> When, after running `guix home reconfigure', you do something like:
>
> --8<---------------cut here---------------start------------->8---
> mv .ssh/authorized_keys .ssh/authorized_keys-
> cat .ssh/authorized_keys- > .ssh/authorized_keys
> chmod 400 .ssh/authorized_keys
> --8<---------------cut here---------------end--------------->8---
>
> key-based login succeeds.
>
> A workaround would be to have home-openssh-service-type leave
> ~/.ssh/authorized_keys alone. However, when using
>
> --8<---------------cut here---------------start------------->8---
> (service
> home-openssh-service-type
> (home-openssh-configuration
> (authorized-keys '())))
> --8<---------------cut here---------------end--------------->8---
>
> any existing ~/.ssh/authorized_keys file is removed and replaced by a
> symlink to an empty file. I don't see how that is useful, it certainly
> breaks key-based login.
>
> Using
>
> --8<---------------cut here---------------start------------->8---
> (service
> home-openssh-service-type
> (home-openssh-configuration
> (authorized-keys #f)))
> --8<---------------cut here---------------end--------------->8---
>
> yields a backtrace.
>
> The attached patch fixes that and allows using (authorized-keys #f),
> also making this the default.
>
> WDYT?
It make perfect sense.
--
Best regards,
Andrew Tropin
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Thu, 13 Jul 2023 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 281 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.