GNU bug report logs - #62948
Using home-ssh-agent-configuration on Ubuntu breaks login

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62948 in the body.
You can then email your comments to 62948 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: Using home-ssh-agent-configuration on Ubuntu breaks login
Date: Wed, 19 Apr 2023 18:28:16 +0200

[Message part 1 (text/plain, inline)]

Hi,

Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
key-based login.  I cannot access the logs and don't know what the
problem might be.

When, after running `guix home reconfigure', you do something like:

--8<---------------cut here---------------start------------->8---
mv .ssh/authorized_keys .ssh/authorized_keys-
cat .ssh/authorized_keys- > .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
--8<---------------cut here---------------end--------------->8---
    
key-based login succeeds.

A workaround would be to have home-openssh-service-type leave
~/.ssh/authorized_keys alone.  However, when using

--8<---------------cut here---------------start------------->8---
(service
  home-openssh-service-type
  (home-openssh-configuration
   (authorized-keys '())))
--8<---------------cut here---------------end--------------->8---

any existing ~/.ssh/authorized_keys file is removed and replaced by a
symlink to an empty file.  I don't see how that is useful, it certainly
breaks key-based login.

Using

--8<---------------cut here---------------start------------->8---
(service
  home-openssh-service-type
  (home-openssh-configuration
   (authorized-keys #f)))
--8<---------------cut here---------------end--------------->8---

yields a backtrace.

The attached patch fixes that and allows using (authorized-keys #f),
also making this the default.

WDYT?

Greetings,
Janneke

[0001-home-services-ssh-Support-leaving-.ssh-authorized_ke.patch (text/x-patch, inline)]

From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001
From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Date: Wed, 19 Apr 2023 16:42:50 +0200
Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys
 alone.

The default was to remove any ~/.ssh/authorized_keys file and replace it with
a symlink to an empty file.  On some systems, notably Ubuntu 22.10, the guix
home generated ~/.ssh/authorized_keys file does not allow login.

* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
---
 doc/guix.texi             |  8 +++++---
 gnu/home/services/ssh.scm | 22 ++++++++++++----------
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..3736d24ff1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time.
 Preparing this list can be relatively tedious though, which is why
 @code{*unspecified*} is kept as a default.
 
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone.  Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
 
 Concretely, these files are concatenated and made available as
 @file{~/.ssh/authorized_keys}.  If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..317808f616 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -186,7 +186,7 @@ (define-record-type* <home-openssh-configuration>
   home-openssh-configuration make-home-openssh-configuration
   home-openssh-configuration?
   (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
-                   (default '()))
+                   (default #f))
   (known-hosts     home-openssh-configuration-known-hosts ;unspec | list of file-like
                    (default *unspecified*))
   (hosts           home-openssh-configuration-hosts   ;list of <openssh-host>
@@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " "))
                                      '#$files)))))))
 
 (define (openssh-configuration-files config)
-  (let ((config (plain-file "ssh.conf"
-                            (openssh-configuration->string config)))
-        (known-hosts (home-openssh-configuration-known-hosts config))
-        (authorized-keys (file-join
-                          "authorized_keys"
-                          (home-openssh-configuration-authorized-keys config)
-                          "\n")))
-    `((".ssh/authorized_keys" ,authorized-keys)
+  (let* ((ssh-config (plain-file "ssh.conf"
+                                 (openssh-configuration->string config)))
+         (known-hosts (home-openssh-configuration-known-hosts config))
+         (authorized-keys (home-openssh-configuration-authorized-keys config))
+         (authorized-keys (and
+                           authorized-keys
+                           (file-join "authorized_keys" authorized-keys "\n"))))
+    `(,@(if authorized-keys
+            `((".ssh/authorized_keys" ,authorized-keys))
+            '())
       ,@(if (unspecified? known-hosts)
             '()
             `((".ssh/known_hosts"
                ,(file-join "known_hosts" known-hosts "\n"))))
-      (".ssh/config" ,config))))
+      (".ssh/config" ,ssh-config))))
 
 (define openssh-activation
   (with-imported-modules (source-module-closure
-- 
2.39.2

[Message part 3 (text/plain, inline)]

-- 
Janneke Nieuwenhuizen <janneke <at> gnu.org>  | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

Message #8 received at 62948 <at> debbugs.gnu.org (full text, mbox):

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: 62948 <at> debbugs.gnu.org
Subject: etc/teams.scm cc home
Date: Sun, 23 Apr 2023 09:58:32 +0200

Message #11 received at 62948 <at> debbugs.gnu.org (full text, mbox):

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: 62948 <at> debbugs.gnu.org
Subject: etc/team.scm cc home #2
Date: Tue, 25 Apr 2023 11:12:13 +0200

Seems only one X-Debbugs-Cc header is honoured at a time, forgot them
initiially...

Message #14 received at 62948 <at> debbugs.gnu.org (full text, mbox):

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: 62948 <at> debbugs.gnu.org
Subject: etc/team.scm cc home #3
Date: Tue, 25 Apr 2023 11:12:49 +0200

Seems only one X-Debbugs-Cc header is honoured at a time, forgot them
initiially...

Message #21 received at 62948-done <at> debbugs.gnu.org (full text, mbox):

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: 62948-done <at> debbugs.gnu.org
Subject: Re: bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks
 login
Date: Wed, 24 May 2023 12:00:49 +0200

Janneke Nieuwenhuizen writes:

> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login.  I cannot access the logs and don't know what the
> problem might be.

Pushed to master as c57693846c7c6586c6cd1b4e4002fe399e3a2c42

-- 
Janneke Nieuwenhuizen <janneke <at> gnu.org>  | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

Message #24 received at 62948 <at> debbugs.gnu.org (full text, mbox):

From: Andrew Tropin <andrew <at> trop.in>
To: Janneke Nieuwenhuizen <janneke <at> gnu.org>, 62948 <at> debbugs.gnu.org
Subject: Re: bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks
 login
Date: Thu, 15 Jun 2023 06:51:52 +0400

[Message part 1 (text/plain, inline)]

On 2023-04-19 18:28, Janneke Nieuwenhuizen wrote:

> Hi,
>
> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login.  I cannot access the logs and don't know what the
> problem might be.
>
> When, after running `guix home reconfigure', you do something like:
>
> --8<---------------cut here---------------start------------->8---
> mv .ssh/authorized_keys .ssh/authorized_keys-
> cat .ssh/authorized_keys- > .ssh/authorized_keys
> chmod 400 .ssh/authorized_keys
> --8<---------------cut here---------------end--------------->8---
>     
> key-based login succeeds.
>
> A workaround would be to have home-openssh-service-type leave
> ~/.ssh/authorized_keys alone.  However, when using
>
> --8<---------------cut here---------------start------------->8---
> (service
>   home-openssh-service-type
>   (home-openssh-configuration
>    (authorized-keys '())))
> --8<---------------cut here---------------end--------------->8---
>
> any existing ~/.ssh/authorized_keys file is removed and replaced by a
> symlink to an empty file.  I don't see how that is useful, it certainly
> breaks key-based login.
>
> Using
>
> --8<---------------cut here---------------start------------->8---
> (service
>   home-openssh-service-type
>   (home-openssh-configuration
>    (authorized-keys #f)))
> --8<---------------cut here---------------end--------------->8---
>
> yields a backtrace.
>
> The attached patch fixes that and allows using (authorized-keys #f),
> also making this the default.
>
> WDYT?

It make perfect sense.

-- 
Best regards,
Andrew Tropin

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.