From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 28 10:52:29 2017 Received: (at submit) by debbugs.gnu.org; 28 Apr 2017 14:52:29 +0000 Received: from localhost ([127.0.0.1]:44845 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d47G1-0007oX-3h for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:52:29 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60579) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d47Fz-0007oL-D1 for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:52:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d47Ft-0003fj-5t for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:52:22 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50 autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:34622) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d47Ft-0003fX-29 for submit@debbugs.gnu.org; Fri, 28 Apr 2017 10:52:21 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:51539) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d47Fr-0000pp-TC for bug-guix@gnu.org; Fri, 28 Apr 2017 10:52:20 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d47Fo-0003eM-QT for bug-guix@gnu.org; Fri, 28 Apr 2017 10:52:19 -0400 Received: from dustycloud.org ([50.116.34.160]:60790) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1d47Fo-0003ds-L7 for bug-guix@gnu.org; Fri, 28 Apr 2017 10:52:16 -0400 Received: from oolong (localhost [127.0.0.1]) by dustycloud.org (Postfix) with ESMTPS id 724B426632 for ; Fri, 28 Apr 2017 10:52:12 -0400 (EDT) User-agent: mu4e 0.9.18; emacs 25.2.1 From: Christopher Allan Webber To: bug-guix@gnu.org Subject: openssh: root 'without-password & password-authentication #f both breaks service Date: Fri, 28 Apr 2017 09:52:12 -0500 Message-ID: <87h918twir.fsf@dustycloud.org> MIME-Version: 1.0 Content-Type: text/plain X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) I wanted to permit root logins but only permit public key authentication in my openssh configuration. This was my original assumption of how to do it: (service openssh-service-type (openssh-configuration (permit-root-login 'without-password) (password-authentication? #f))) However, for whatever reason, openssh fails to start with this combination. However, it turns out this is redundant, since the configuration is already only permitting with public key authentication. (service openssh-service-type (openssh-configuration (permit-root-login #t) (password-authentication? #f))) This route is sufficient. However maybe we should prevent people from accidentally causing openssh to not start. Here's a suggested route... though I haven't tested it: #+BEGIN_SRC diff diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9917c311c..f1f2ab3dc 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -342,7 +342,13 @@ The other options should be self-descriptive." #$(match (openssh-configuration-permit-root-login config) (#t "yes") (#f "no") - ('without-password "without-password"))) + ('without-password + ;; If we've already disabled password-authentication, this + ;; is redundant, and even stops the openssh server from + ;; starting up + (if (openssh-configuration-password-authentication? config) + "without-password" + "yes")))) (format port "PermitEmptyPasswords ~a\n" #$(if (openssh-configuration-allow-empty-passwords? config) "yes" "no")) #+END_SRC