GNU bug report logs - #67789
[PATCH] doc: Secure Shell: Add note about sshd and wrong permissions

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix-patches; Reported by: "zero@fedora" <shinyzero0@HIDDEN>; Keywords: moreinfo patch; dated Mon, 11 Dec 2023 23:37:01 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 67789 <at> debbugs.gnu.org:


Received: (at 67789) by debbugs.gnu.org; 15 Dec 2023 19:24:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Dec 15 14:24:40 2023
Received: from localhost ([127.0.0.1]:53471 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rEDnc-0007Xk-2i
	for submit <at> debbugs.gnu.org; Fri, 15 Dec 2023 14:24:40 -0500
Received: from tilde.club ([142.44.150.184]:38618 ident=postfix)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <shinyzero0@HIDDEN>) id 1rEDnX-0007XT-HG
 for 67789 <at> debbugs.gnu.org; Fri, 15 Dec 2023 14:24:39 -0500
Received: from localhost (unknown [77.91.85.198])
 by tilde.club (Postfix) with ESMTPSA id A2EA8223DC634;
 Fri, 15 Dec 2023 19:24:33 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 tilde.club A2EA8223DC634
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tilde.club; s=mail;
 t=1702668274; bh=j5w5ZGIBBk9tAFyhN+hSsS/M5nrZM/fsy47PWXiO14Y=;
 h=Date:Cc:Subject:From:To:References:In-Reply-To:From;
 b=wobqKoZFGC/Gxkd4IamX1GHwkTpmBG3eTa6+t7XdWCXjpy23+urbaWcley6X0mf1X
 Ny0/OXntVyGVaSuiqs/8vY0ZWWBr9UrKeLK4UJiGRUCohmY4iK3Xp9x3nputOfyfcj
 C+N5JnC12rrxXMFW114kw5TcrT8tuF3AUj5uCJzI=
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Fri, 15 Dec 2023 22:24:23 +0300
Message-Id: <CXP5IXYUT1EA.2VBTIL3Q5CK0P@fedora>
Subject: Re: [bug#67789] [PATCH] doc: Secure Shell: Add note about sshd and
 wrong permissions
From: "ShinyZero0" <shinyzero0@HIDDEN>
To: =?utf-8?q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
X-Mailer: aerc 0.15.2
References: <20231211233532.63690-1-shinyzero0@HIDDEN>
 <87le9wx5kt.fsf@HIDDEN>
In-Reply-To: <87le9wx5kt.fsf@HIDDEN>
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 67789
Cc: 67789 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On Thu Dec 14, 2023 at 4:43 PM MSK, Ludovic Court=C3=A8s wrote:
> On my laptop permissions seem to be good:
>
> --8<---------------cut here---------------start------------->8---
> $ ls -ld ~/.ssh/authorized_keys=20
> lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -=
> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys
> $ ls -ld ~/.ssh=20
> drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/
> $ ssh localhost uname
> Linux
> --8<---------------cut here---------------end--------------->8---
>
> Maybe there are cases when this is not the case, maybe when ~/.ssh does
> not exist prior to running =E2=80=98guix home reconfigure=E2=80=99?
>
> Thanks,
> Ludo=E2=80=99.

I'm using guix on foreign (Fedora) distro, obviously i had ~/.ssh
directory with right permissions before replacing it with guix-generated
one. Maybe it's vice versa: the permissions are wrong when the ~/.ssh is
being replaced?
Honestly, i thought it's unfixable, like, can we change
the permissions of a symlink?
Oh, and i checked my permissions, and they are the same. Maybe the
problem is in somewhere within my sshd?
Thanks,
Paul.
Information forwarded to guix-patches@HIDDEN:
bug#67789; Package guix-patches. Full text available.
Added tag(s) moreinfo. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 67789 <at> debbugs.gnu.org:


Received: (at 67789) by debbugs.gnu.org; 14 Dec 2023 13:43:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Dec 14 08:43:41 2023
Received: from localhost ([127.0.0.1]:49004 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rDm05-0007OM-Hw
	for submit <at> debbugs.gnu.org; Thu, 14 Dec 2023 08:43:41 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:52164)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>) id 1rDm03-0007O8-TL
 for 67789 <at> debbugs.gnu.org; Thu, 14 Dec 2023 08:43:40 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1rDlzx-0005Eb-KL; Thu, 14 Dec 2023 08:43:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To:
 From; bh=a1XakrFsCsNaXYfieJYScJP3De8x5v5ttrQmFq9HjJs=; b=YIL5pCy5NRgYewNOFb8A
 /dRnVJkWWSt1u7OpPFFgUfCYqY/VHaMdkeQxcfkURaKQjCXobTdmhc2844yMl+DM2izkRPGb+kz64
 aMyrLH2ZS4/9UFNbNv9KUjgNtogpxpHBm+q9lDe95uzyeN9AtbOUriyBrYsFFjyxoTaAAnYtWt/VL
 EKpST2FnchXanhIsVUEDMURLBIfVBj1sQf0PiasDmWvw8Yvou6DuClyIN7w99DvV4gehtOju7z/qy
 RoGF7yp2oMKCA8nuWQ4lc8DCeKgHhFLrxfTlcnAGPYGenXDMWMIxIgKPrRColtL9i//c5ohoeejJb
 mWEJNX0NZj9msA==;
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: "zero@fedora" <shinyzero0@HIDDEN>
Subject: Re: [bug#67789] [PATCH] doc: Secure Shell: Add note about sshd and
 wrong permissions
In-Reply-To: <20231211233532.63690-1-shinyzero0@HIDDEN>
 (shinyzero0@HIDDEN's message of "Tue, 12 Dec 2023 02:35:32 +0300")
References: <20231211233532.63690-1-shinyzero0@HIDDEN>
Date: Thu, 14 Dec 2023 14:43:30 +0100
Message-ID: <87le9wx5kt.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 67789
Cc: 67789 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello,

"zero@fedora" <shinyzero0@HIDDEN> skribis:

> * doc/guix.texi (Home services: Secure Shell): Add note about sshd blocki=
ng connections because of wrong permissions

[...]

> +@quotation Note
> +Note that @command{sshd} will block any @command{ssh} connections to you=
 if
> +your files in @file{~/.ssh} have wrong permissions or ownership, as the =
ones
> +created by this service do. To fix that, you need to set @code{StrictMod=
es=3Dno}
> +in your @command{sshd} configuration
> +@end quotation

I think we=E2=80=99d rather fix the permissions of those files than documen=
t the
bug.

On my laptop permissions seem to be good:

--8<---------------cut here---------------start------------->8---
$ ls -ld ~/.ssh/authorized_keys=20
lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> =
/gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys
$ ls -ld ~/.ssh=20
drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/
$ ssh localhost uname
Linux
--8<---------------cut here---------------end--------------->8---

Maybe there are cases when this is not the case, maybe when ~/.ssh does
not exist prior to running =E2=80=98guix home reconfigure=E2=80=99?

Thanks,
Ludo=E2=80=99.
Information forwarded to guix-patches@HIDDEN:
bug#67789; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 11 Dec 2023 23:36:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Dec 11 18:36:21 2023
Received: from localhost ([127.0.0.1]:54954 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1rCpoz-0000kt-2k
	for submit <at> debbugs.gnu.org; Mon, 11 Dec 2023 18:36:21 -0500
Received: from lists.gnu.org ([2001:470:142::17]:50422)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <shinyzero0@HIDDEN>) id 1rCpot-0000kZ-F8
 for submit <at> debbugs.gnu.org; Mon, 11 Dec 2023 18:36:19 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <shinyzero0@HIDDEN>)
 id 1rCpoW-0004nt-6F
 for guix-patches@HIDDEN; Mon, 11 Dec 2023 18:35:52 -0500
Received: from tilde.club ([2607:5300:203:b92b::114])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <shinyzero0@HIDDEN>)
 id 1rCpoU-0002tl-MR
 for guix-patches@HIDDEN; Mon, 11 Dec 2023 18:35:51 -0500
Received: from fedora.. (unknown [77.91.85.198])
 by tilde.club (Postfix) with ESMTPA id 997C322413BBB;
 Mon, 11 Dec 2023 23:35:46 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 tilde.club 997C322413BBB
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tilde.club; s=mail;
 t=1702337747; bh=3ho5dTEodPUHrvvK5VUbaEyEkK1rCpx1BEVRK5HILaQ=;
 h=From:To:Cc:Subject:Date:From;
 b=DqBu9HV/gH9+OvcRXs6wF7DvCMn/cA2Fc5LdfaH+nGAkyGtSdRpBONp6imPa+DE12
 CzWitlQEM6SMotYmRNGBtHnmgw2UHcOMfWY68NuUOsqOIB93vqcQZYiTi5sBSt9j7z
 hL7nomV7lIzwThDr8oKNUTcyNprxHp7JF8Hvu/HY=
From: "zero@fedora" <shinyzero0@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] doc: Secure Shell: Add note about sshd and wrong permissions
Date: Tue, 12 Dec 2023 02:35:32 +0300
Message-ID: <20231211233532.63690-1-shinyzero0@HIDDEN>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:5300:203:b92b::114;
 envelope-from=shinyzero0@HIDDEN; helo=tilde.club
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
Cc: "zero@fedora" <shinyzero0@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

* doc/guix.texi (Home services: Secure Shell): Add note about sshd blocking connections because of wrong permissions
---
 doc/guix.texi | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/guix.texi b/doc/guix.texi
index 7dde9b727b..832fed3b97 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -44306,6 +44306,13 @@ predictable fashion, almost independently of state on the local machine.
 To do that, you instantiate @code{home-openssh-service-type} in your
 Home configuration, as explained below.
 
+@quotation Note
+Note that @command{sshd} will block any @command{ssh} connections to you if
+your files in @file{~/.ssh} have wrong permissions or ownership, as the ones
+created by this service do. To fix that, you need to set @code{StrictModes=no}
+in your @command{sshd} configuration
+@end quotation
+
 @defvar home-openssh-service-type
 This is the type of the service to set up the OpenSSH client.  It takes
 care of several things:
-- 
2.43.0
Acknowledgement sent to "zero@fedora" <shinyzero0@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#67789; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sat, 20 Jan 2024 12:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.