Add an internal SFTP server to the OpenSSH service.

  • Done
  • quality assurance status badge
Details
4 participants
  • Clément Lassieur
  • Leo Famulari
  • Ludovic Courtès
  • Marius Bakke
Owner
unassigned
Submitted by
Clément Lassieur
Severity
normal
C
C
Clément Lassieur wrote on 19 Mar 2017 17:32
(address . guix-patches@gnu.org)
87wpbl1b3m.fsf@lassieur.org
The goal of this patchset is to add a 'subsystems' field to
<openssh-configuration>, whose default value would be an internal SFTP
server.

I also added a test for this SFTP server, as asked by Ludovic. For this
test, I needed to abstract the session connection and authentication
stuff: I took inspiration from the Guile-SSH tests.

Previous thread was:

Comments are welcome :)
Clément
C
C
Clément Lassieur wrote on 19 Mar 2017 17:35
[PATCH 1/4] services: openssh: Cosmetic changes.
(address . 26173@debbugs.gnu.org)
20170319163507.3583-1-clement@lassieur.org
* gnu/services/ssh.scm (<openssh-configuration>): Reformat to fit in 80
columns.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
gnu/services/ssh.scm | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)

Toggle diff (56 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index d8a3ad35a..6272d53fc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -260,28 +260,39 @@ The other options should be self-descriptive."
(define-record-type* <openssh-configuration>
openssh-configuration make-openssh-configuration
openssh-configuration?
- (openssh openssh-configuration-openssh ;package
+ ;; <package>
+ (openssh openssh-configuration-openssh
(default openssh))
+ ;; string
(pid-file openssh-configuration-pid-file
(default "/var/run/sshd.pid"))
- (port-number openssh-configuration-port-number ;integer
+ ;; integer
+ (port-number openssh-configuration-port-number
(default 22))
- (permit-root-login openssh-configuration-permit-root-login ;Boolean | 'without-password
+ ;; Boolean | 'without-password
+ (permit-root-login openssh-configuration-permit-root-login
(default #f))
- (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
+ ;; Boolean
+ (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
(default #f))
- (password-authentication? openssh-configuration-password-authentication? ;Boolean
+ ;; Boolean
+ (password-authentication? openssh-configuration-password-authentication?
(default #t))
+ ;; Boolean
(public-key-authentication? openssh-configuration-public-key-authentication?
- (default #t)) ;Boolean
- (x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean
+ (default #t))
+ ;; Boolean
+ (x11-forwarding? openssh-configuration-x11-forwarding?
(default #f))
+ ;; Boolean
(challenge-response-authentication? openssh-challenge-response-authentication?
- (default #f)) ;Boolean
+ (default #f))
+ ;; Boolean
(use-pam? openssh-configuration-use-pam?
- (default #t)) ;Boolean
+ (default #t))
+ ;; Boolean
(print-last-log? openssh-configuration-print-last-log?
- (default #t))) ;Boolean
+ (default #t)))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
--
2.12.0
C
C
Clément Lassieur wrote on 19 Mar 2017 17:35
[PATCH 2/4] services: openssh: Add 'subsystems' option.
(address . 26173@debbugs.gnu.org)
20170319163507.3583-2-clement@lassieur.org
* gnu/services/ssh.scm (openssh-config-file): Add it.
(<openssh-configuration>)[subsystems]: Add it.
* doc/guix.texi (Networking Services): Document it.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
doc/guix.texi | 9 ++++++
gnu/services/ssh.scm | 81 +++++++++++++++++++++++++++++-----------------------
2 files changed, 55 insertions(+), 35 deletions(-)

Toggle diff (121 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 50e794400..8bc7f3e39 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -9511,6 +9511,15 @@ equivalent role to password authentication, you should disable either
@item @code{print-last-log?} (default: @code{#t})
Specifies whether @command{sshd} should print the date and time of the
last user login when a user logs in interactively.
+
+@item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
+Configures external subsystems (e.g. file transfer daemon).
+
+This is a list of two-element lists, each of which containing the
+subsystem name and a command (with optional arguments) to execute upon
+subsystem request.
+
+The command @command{internal-sftp} implements an in-process SFTP server.
@end table
@end deftp
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 6272d53fc..b7f9887b3 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -292,7 +292,10 @@ The other options should be self-descriptive."
(default #t))
;; Boolean
(print-last-log? openssh-configuration-print-last-log?
- (default #t)))
+ (default #t))
+ ;; list of two-element lists
+ (subsystems openssh-configuration-subsystems
+ (default '(("sftp" "internal-sftp")))))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
@@ -327,40 +330,48 @@ The other options should be self-descriptive."
"Return the sshd configuration file corresponding to CONFIG."
(computed-file
"sshd_config"
- #~(call-with-output-file #$output
- (lambda (port)
- (display "# Generated by 'openssh-service'.\n" port)
- (format port "Port ~a\n"
- #$(number->string (openssh-configuration-port-number config)))
- (format port "PermitRootLogin ~a\n"
- #$(match (openssh-configuration-permit-root-login config)
- (#t "yes")
- (#f "no")
- ('without-password "without-password")))
- (format port "PermitEmptyPasswords ~a\n"
- #$(if (openssh-configuration-allow-empty-passwords? config)
- "yes" "no"))
- (format port "PasswordAuthentication ~a\n"
- #$(if (openssh-configuration-password-authentication? config)
- "yes" "no"))
- (format port "PubkeyAuthentication ~a\n"
- #$(if (openssh-configuration-public-key-authentication? config)
- "yes" "no"))
- (format port "X11Forwarding ~a\n"
- #$(if (openssh-configuration-x11-forwarding? config)
- "yes" "no"))
- (format port "PidFile ~a\n"
- #$(openssh-configuration-pid-file config))
- (format port "ChallengeResponseAuthentication ~a\n"
- #$(if (openssh-challenge-response-authentication? config)
- "yes" "no"))
- (format port "UsePAM ~a\n"
- #$(if (openssh-configuration-use-pam? config)
- "yes" "no"))
- (format port "PrintLastLog ~a\n"
- #$(if (openssh-configuration-print-last-log? config)
- "yes" "no"))
- #t))))
+ #~(begin
+ (use-modules (ice-9 match))
+ (call-with-output-file #$output
+ (lambda (port)
+ (display "# Generated by 'openssh-service'.\n" port)
+ (format port "Port ~a\n"
+ #$(number->string
+ (openssh-configuration-port-number config)))
+ (format port "PermitRootLogin ~a\n"
+ #$(match (openssh-configuration-permit-root-login config)
+ (#t "yes")
+ (#f "no")
+ ('without-password "without-password")))
+ (format port "PermitEmptyPasswords ~a\n"
+ #$(if (openssh-configuration-allow-empty-passwords? config)
+ "yes" "no"))
+ (format port "PasswordAuthentication ~a\n"
+ #$(if (openssh-configuration-password-authentication? config)
+ "yes" "no"))
+ (format port "PubkeyAuthentication ~a\n"
+ #$(if (openssh-configuration-public-key-authentication?
+ config)
+ "yes" "no"))
+ (format port "X11Forwarding ~a\n"
+ #$(if (openssh-configuration-x11-forwarding? config)
+ "yes" "no"))
+ (format port "PidFile ~a\n"
+ #$(openssh-configuration-pid-file config))
+ (format port "ChallengeResponseAuthentication ~a\n"
+ #$(if (openssh-challenge-response-authentication? config)
+ "yes" "no"))
+ (format port "UsePAM ~a\n"
+ #$(if (openssh-configuration-use-pam? config)
+ "yes" "no"))
+ (format port "PrintLastLog ~a\n"
+ #$(if (openssh-configuration-print-last-log? config)
+ "yes" "no"))
+ (for-each
+ (match-lambda
+ ((name command) (format port "Subsystem\t~a\t~a\n" name command)))
+ '#$(openssh-configuration-subsystems config))
+ #t)))))
(define (openssh-shepherd-service config)
"Return a <shepherd-service> for openssh with CONFIG."
--
2.12.0
C
C
Clément Lassieur wrote on 19 Mar 2017 17:35
[PATCH 3/4] tests: ssh: Abstract session connection and authentication.
(address . 26173@debbugs.gnu.org)
20170319163507.3583-3-clement@lassieur.org
* gnu/tests/ssh.scm (run-ssh-test): Introduce make-session-for-test,
call-with-connected-session and call-with-connected-session/auth.
(run-ssh-test)["connect"]: Rename to "shell command". Abstract its session
connection and authentication work into the above three functions.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
gnu/tests/ssh.scm | 79 +++++++++++++++++++++++++++++++++++--------------------
1 file changed, 50 insertions(+), 29 deletions(-)

Toggle diff (107 lines)
diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm
index 456476e69..fae4dff25 100644
--- a/gnu/tests/ssh.scm
+++ b/gnu/tests/ssh.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -101,6 +102,44 @@ empty-password logins."
(error "file didn't show up" ,file))))
marionette))
+ (define (make-session-for-test)
+ "Make a session with predefined parameters for a test."
+ (make-session #:user "root"
+ #:port 2222
+ #:host "localhost"
+ #:log-verbosity 'protocol))
+
+ (define (call-with-connected-session proc)
+ "Call the one-argument procedure PROC with a freshly created and
+connected SSH session object, return the result of the procedure call. The
+session is disconnected when the PROC is finished."
+ (let ((session (make-session-for-test)))
+ (dynamic-wind
+ (lambda ()
+ (let ((result (connect! session)))
+ (unless (equal? result 'ok)
+ (error "Could not connect to a server"
+ session result))))
+ (lambda () (proc session))
+ (lambda () (disconnect! session)))))
+
+ (define (call-with-connected-session/auth proc)
+ "Make an authenticated session. We should be able to connect as
+root with an empty password."
+ (call-with-connected-session
+ (lambda (session)
+ (let loop ((methods (list (cut userauth-password! <> "")
+ (cut userauth-none! <>))))
+ (match methods
+ (()
+ (error "all the authentication methods failed"))
+ ((auth rest ...)
+ (match (pk 'auth (auth session))
+ ('success
+ (proc session))
+ ('denied
+ (loop rest)))))))))
+
(mkdir #$output)
(chdir #$output)
@@ -131,37 +170,19 @@ empty-password logins."
(current-services))))
marionette))
- ;; Connect to the guest over SSH. We should be able to connect as
- ;; "root" with an empty password. Make sure we can run a shell
+ ;; Connect to the guest over SSH. Make sure we can run a shell
;; command there.
- (test-equal "connect"
+ (test-equal "shell command"
'hello
- (let* ((session (make-session #:user "root"
- #:port 2222 #:host "localhost"
- #:log-verbosity 'protocol)))
- (match (connect! session)
- ('ok
- ;; Try the simple authentication methods. Dropbear
- ;; requires 'none' when there are no passwords, whereas
- ;; OpenSSH accepts 'password' with an empty password.
- (let loop ((methods (list (cut userauth-password! <> "")
- (cut userauth-none! <>))))
- (match methods
- (()
- (error "all the authentication methods failed"))
- ((auth rest ...)
- (match (pk 'auth (auth session))
- ('success
- ;; FIXME: 'get-server-public-key' segfaults.
- ;; (get-server-public-key session)
- (let ((channel (make-channel session)))
- (channel-open-session channel)
- (channel-request-exec channel
- "echo hello > /root/witness")
- (and (zero? (channel-get-exit-status channel))
- (wait-for-file "/root/witness"))))
- ('denied
- (loop rest))))))))))
+ (call-with-connected-session/auth
+ (lambda (session)
+ ;; FIXME: 'get-server-public-key' segfaults.
+ ;; (get-server-public-key session)
+ (let ((channel (make-channel session)))
+ (channel-open-session channel)
+ (channel-request-exec channel "echo hello > /root/witness")
+ (and (zero? (channel-get-exit-status channel))
+ (wait-for-file "/root/witness"))))))
(test-end)
(exit (= (test-runner-fail-count (test-runner-current)) 0)))))
--
2.12.0
C
C
Clément Lassieur wrote on 19 Mar 2017 17:35
[PATCH 4/4] tests: ssh: Add a test for SFTP.
(address . 26173@debbugs.gnu.org)
20170319163507.3583-4-clement@lassieur.org
* gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
Make 'sftp' a keyword parameter.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
gnu/tests/ssh.scm | 22 +++++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)

Toggle diff (56 lines)
diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm
index fae4dff25..8e656abff 100644
--- a/gnu/tests/ssh.scm
+++ b/gnu/tests/ssh.scm
@@ -55,7 +55,7 @@
(services (cons service
(operating-system-user-services %base-os)))))
-(define (run-ssh-test name ssh-service pid-file)
+(define* (run-ssh-test name ssh-service pid-file #:key (sftp #f))
"Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
SSH-SERVICE must be configured to listen on port 22 and to allow for root and
empty-password logins."
@@ -81,7 +81,8 @@ empty-password logins."
(ice-9 match)
(ssh session)
(ssh auth)
- (ssh channel))
+ (ssh channel)
+ (ssh sftp))
(define marionette
;; Enable TCP forwarding of the guest's port 22.
@@ -184,6 +185,20 @@ root with an empty password."
(and (zero? (channel-get-exit-status channel))
(wait-for-file "/root/witness"))))))
+ ;; Connect to the guest over SFTP. Make sure we can write and
+ ;; read a file there.
+ (when #$sftp
+ (test-equal "SFTP file writing and reading"
+ 'hello
+ (call-with-connected-session/auth
+ (lambda (session)
+ (let ((sftp-session (make-sftp-session session))
+ (witness "/root/sftp-witness"))
+ (call-with-remote-output-file sftp-session witness
+ (cut display "hello" <>))
+ (call-with-remote-input-file sftp-session witness
+ read))))))
+
(test-end)
(exit (= (test-runner-fail-count (test-runner-current)) 0)))))
@@ -200,7 +215,8 @@ root with an empty password."
(openssh-configuration
(permit-root-login #t)
(allow-empty-passwords? #t)))
- "/var/run/sshd.pid"))))
+ "/var/run/sshd.pid"
+ #:sftp #t))))
(define %test-dropbear
(system-test
--
2.12.0
L
L
Ludovic Courtès wrote on 20 Mar 2017 21:17
Re: bug#26173: [PATCH 1/4] services: openssh: Cosmetic changes.
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26173@debbugs.gnu.org)
87var3u2ir.fsf@gnu.org
Clément Lassieur <clement@lassieur.org> skribis:

Toggle quote (3 lines)
> * gnu/services/ssh.scm (<openssh-configuration>): Reformat to fit in 80
> columns.

OK, why not. :-)

Ludo’.
L
L
Ludovic Courtès wrote on 20 Mar 2017 21:18
Re: bug#26173: [PATCH 2/4] services: openssh: Add 'subsystems' option.
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26173@debbugs.gnu.org)
87r31ru2fj.fsf@gnu.org
Clément Lassieur <clement@lassieur.org> skribis:

Toggle quote (4 lines)
> * gnu/services/ssh.scm (openssh-config-file): Add it.
> (<openssh-configuration>)[subsystems]: Add it.
> * doc/guix.texi (Networking Services): Document it.

[...]

Toggle quote (9 lines)
> +@item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
> +Configures external subsystems (e.g. file transfer daemon).
> +
> +This is a list of two-element lists, each of which containing the
> +subsystem name and a command (with optional arguments) to execute upon
> +subsystem request.
> +
> +The command @command{internal-sftp} implements an in-process SFTP server.

Maybe you can add an @example for the external SFTP server, just to show
what the syntax is like.

Otherwise LGTM, thanks!

Ludo’.
L
L
Ludovic Courtès wrote on 20 Mar 2017 21:21
Re: bug#26173: [PATCH 3/4] tests: ssh: Abstract session connection and authentication.
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26173@debbugs.gnu.org)
87mvcfu2ay.fsf@gnu.org
Clément Lassieur <clement@lassieur.org> skribis:

Toggle quote (5 lines)
> * gnu/tests/ssh.scm (run-ssh-test): Introduce make-session-for-test,
> call-with-connected-session and call-with-connected-session/auth.
> (run-ssh-test)["connect"]: Rename to "shell command". Abstract its session
> connection and authentication work into the above three functions.

It looks nicer with this change, cool!

Toggle quote (8 lines)
> - (match (connect! session)
> - ('ok
> - ;; Try the simple authentication methods. Dropbear
> - ;; requires 'none' when there are no passwords, whereas
> - ;; OpenSSH accepts 'password' with an empty password.
> - (let loop ((methods (list (cut userauth-password! <> "")
> - (cut userauth-none! <>))))

This comment vanished in the refactoring but it might be worth keeping.

Otherwise LGTM, thanks!

Ludo’.
L
L
Ludovic Courtès wrote on 20 Mar 2017 21:25
Re: bug#26173: [PATCH 4/4] tests: ssh: Add a test for SFTP.
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26173@debbugs.gnu.org)
87h92nu24z.fsf@gnu.org
Clément Lassieur <clement@lassieur.org> skribis:

Toggle quote (3 lines)
> * gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
> Make 'sftp' a keyword parameter.

Woohoo!

Please also mention the change to ‘%test-openssh’.

Toggle quote (5 lines)
> +(define* (run-ssh-test name ssh-service pid-file #:key (sftp #f))
> "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
> SSH-SERVICE must be configured to listen on port 22 and to allow for root and
> empty-password logins."

Nitpick: call it ‘sftp?’ (with a question mark) to make it clear it’s a
Boolean, and mention it in the docstring.

Toggle quote (5 lines)
> + ;; Connect to the guest over SFTP. Make sure we can write and
> + ;; read a file there.
> + (when #$sftp
> + (test-equal "SFTP file writing and reading"

You can write it like this:

(unless #$sftp?
(test-skip 1))

(test-equal …)

That way the test will be marked as skipped when SFTP support is
missing, which is marginally nicer.

Thanks for taking the time to write this test!

Ludo’.
C
C
Clément Lassieur wrote on 21 Mar 2017 01:01
Re: bug#26173: [PATCH 3/4] tests: ssh: Abstract session connection and authentication.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 26173@debbugs.gnu.org)
87r31r7b1c.fsf@lassieur.org
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (19 lines)
> Clément Lassieur <clement@lassieur.org> skribis:
>
>> * gnu/tests/ssh.scm (run-ssh-test): Introduce make-session-for-test,
>> call-with-connected-session and call-with-connected-session/auth.
>> (run-ssh-test)["connect"]: Rename to "shell command". Abstract its session
>> connection and authentication work into the above three functions.
>
> It looks nicer with this change, cool!
>
>> - (match (connect! session)
>> - ('ok
>> - ;; Try the simple authentication methods. Dropbear
>> - ;; requires 'none' when there are no passwords, whereas
>> - ;; OpenSSH accepts 'password' with an empty password.
>> - (let loop ((methods (list (cut userauth-password! <> "")
>> - (cut userauth-none! <>))))
>
> This comment vanished in the refactoring but it might be worth keeping.

Oh! Sorry, that wasn't intentional.

Toggle quote (3 lines)
> Otherwise LGTM, thanks!
>
> Ludo’.
C
C
Clément Lassieur wrote on 21 Mar 2017 01:03
Re: bug#26173: [PATCH 4/4] tests: ssh: Add a test for SFTP.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 26173@debbugs.gnu.org)
87pohb7ayv.fsf@lassieur.org
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (34 lines)
> Clément Lassieur <clement@lassieur.org> skribis:
>
>> * gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
>> Make 'sftp' a keyword parameter.
>
> Woohoo!
>
> Please also mention the change to ‘%test-openssh’.
>
>> +(define* (run-ssh-test name ssh-service pid-file #:key (sftp #f))
>> "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
>> SSH-SERVICE must be configured to listen on port 22 and to allow for root and
>> empty-password logins."
>
> Nitpick: call it ‘sftp?’ (with a question mark) to make it clear it’s a
> Boolean, and mention it in the docstring.
>
>> + ;; Connect to the guest over SFTP. Make sure we can write and
>> + ;; read a file there.
>> + (when #$sftp
>> + (test-equal "SFTP file writing and reading"
>
> You can write it like this:
>
> (unless #$sftp?
> (test-skip 1))
>
> (test-equal …)
>
> That way the test will be marked as skipped when SFTP support is
> missing, which is marginally nicer.
>
> Thanks for taking the time to write this test!

Thank you for the review :)

I'll send an updated patchset.

Clément
C
C
Clément Lassieur wrote on 21 Mar 2017 01:04
[PATCH 1/4] services: openssh: Cosmetic changes.
(address . 26173@debbugs.gnu.org)
20170321000445.23129-1-clement@lassieur.org
* gnu/services/ssh.scm (<openssh-configuration>): Reformat to fit in 80
columns.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
gnu/services/ssh.scm | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)

Toggle diff (56 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index d8a3ad35a..6272d53fc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -260,28 +260,39 @@ The other options should be self-descriptive."
(define-record-type* <openssh-configuration>
openssh-configuration make-openssh-configuration
openssh-configuration?
- (openssh openssh-configuration-openssh ;package
+ ;; <package>
+ (openssh openssh-configuration-openssh
(default openssh))
+ ;; string
(pid-file openssh-configuration-pid-file
(default "/var/run/sshd.pid"))
- (port-number openssh-configuration-port-number ;integer
+ ;; integer
+ (port-number openssh-configuration-port-number
(default 22))
- (permit-root-login openssh-configuration-permit-root-login ;Boolean | 'without-password
+ ;; Boolean | 'without-password
+ (permit-root-login openssh-configuration-permit-root-login
(default #f))
- (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
+ ;; Boolean
+ (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
(default #f))
- (password-authentication? openssh-configuration-password-authentication? ;Boolean
+ ;; Boolean
+ (password-authentication? openssh-configuration-password-authentication?
(default #t))
+ ;; Boolean
(public-key-authentication? openssh-configuration-public-key-authentication?
- (default #t)) ;Boolean
- (x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean
+ (default #t))
+ ;; Boolean
+ (x11-forwarding? openssh-configuration-x11-forwarding?
(default #f))
+ ;; Boolean
(challenge-response-authentication? openssh-challenge-response-authentication?
- (default #f)) ;Boolean
+ (default #f))
+ ;; Boolean
(use-pam? openssh-configuration-use-pam?
- (default #t)) ;Boolean
+ (default #t))
+ ;; Boolean
(print-last-log? openssh-configuration-print-last-log?
- (default #t))) ;Boolean
+ (default #t)))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
--
2.12.0
C
C
Clément Lassieur wrote on 21 Mar 2017 01:04
[PATCH 2/4] services: openssh: Add 'subsystems' option.
(address . 26173@debbugs.gnu.org)
20170321000445.23129-2-clement@lassieur.org
* gnu/services/ssh.scm (openssh-config-file): Add it.
(<openssh-configuration>)[subsystems]: Add it.
* doc/guix.texi (Networking Services): Document it.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
doc/guix.texi | 16 +++++++++++
gnu/services/ssh.scm | 81 +++++++++++++++++++++++++++++-----------------------
2 files changed, 62 insertions(+), 35 deletions(-)

Toggle diff (128 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 297141288..63291e33e 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -9511,6 +9511,22 @@ equivalent role to password authentication, you should disable either
@item @code{print-last-log?} (default: @code{#t})
Specifies whether @command{sshd} should print the date and time of the
last user login when a user logs in interactively.
+
+@item @code{subsystems} (default: @code{'(("sftp" "internal-sftp"))})
+Configures external subsystems (e.g. file transfer daemon).
+
+This is a list of two-element lists, each of which containing the
+subsystem name and a command (with optional arguments) to execute upon
+subsystem request.
+
+The command @command{internal-sftp} implements an in-process SFTP
+server. Alternately, one can specify the @command{sftp-server} command:
+@example
+(service openssh-service-type
+ (openssh-configuration
+ (subsystems
+ '(("sftp" "/run/current-system/profile/libexec/sftp-server")))))
+@end example
@end table
@end deftp
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 6272d53fc..b7f9887b3 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -292,7 +292,10 @@ The other options should be self-descriptive."
(default #t))
;; Boolean
(print-last-log? openssh-configuration-print-last-log?
- (default #t)))
+ (default #t))
+ ;; list of two-element lists
+ (subsystems openssh-configuration-subsystems
+ (default '(("sftp" "internal-sftp")))))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
@@ -327,40 +330,48 @@ The other options should be self-descriptive."
"Return the sshd configuration file corresponding to CONFIG."
(computed-file
"sshd_config"
- #~(call-with-output-file #$output
- (lambda (port)
- (display "# Generated by 'openssh-service'.\n" port)
- (format port "Port ~a\n"
- #$(number->string (openssh-configuration-port-number config)))
- (format port "PermitRootLogin ~a\n"
- #$(match (openssh-configuration-permit-root-login config)
- (#t "yes")
- (#f "no")
- ('without-password "without-password")))
- (format port "PermitEmptyPasswords ~a\n"
- #$(if (openssh-configuration-allow-empty-passwords? config)
- "yes" "no"))
- (format port "PasswordAuthentication ~a\n"
- #$(if (openssh-configuration-password-authentication? config)
- "yes" "no"))
- (format port "PubkeyAuthentication ~a\n"
- #$(if (openssh-configuration-public-key-authentication? config)
- "yes" "no"))
- (format port "X11Forwarding ~a\n"
- #$(if (openssh-configuration-x11-forwarding? config)
- "yes" "no"))
- (format port "PidFile ~a\n"
- #$(openssh-configuration-pid-file config))
- (format port "ChallengeResponseAuthentication ~a\n"
- #$(if (openssh-challenge-response-authentication? config)
- "yes" "no"))
- (format port "UsePAM ~a\n"
- #$(if (openssh-configuration-use-pam? config)
- "yes" "no"))
- (format port "PrintLastLog ~a\n"
- #$(if (openssh-configuration-print-last-log? config)
- "yes" "no"))
- #t))))
+ #~(begin
+ (use-modules (ice-9 match))
+ (call-with-output-file #$output
+ (lambda (port)
+ (display "# Generated by 'openssh-service'.\n" port)
+ (format port "Port ~a\n"
+ #$(number->string
+ (openssh-configuration-port-number config)))
+ (format port "PermitRootLogin ~a\n"
+ #$(match (openssh-configuration-permit-root-login config)
+ (#t "yes")
+ (#f "no")
+ ('without-password "without-password")))
+ (format port "PermitEmptyPasswords ~a\n"
+ #$(if (openssh-configuration-allow-empty-passwords? config)
+ "yes" "no"))
+ (format port "PasswordAuthentication ~a\n"
+ #$(if (openssh-configuration-password-authentication? config)
+ "yes" "no"))
+ (format port "PubkeyAuthentication ~a\n"
+ #$(if (openssh-configuration-public-key-authentication?
+ config)
+ "yes" "no"))
+ (format port "X11Forwarding ~a\n"
+ #$(if (openssh-configuration-x11-forwarding? config)
+ "yes" "no"))
+ (format port "PidFile ~a\n"
+ #$(openssh-configuration-pid-file config))
+ (format port "ChallengeResponseAuthentication ~a\n"
+ #$(if (openssh-challenge-response-authentication? config)
+ "yes" "no"))
+ (format port "UsePAM ~a\n"
+ #$(if (openssh-configuration-use-pam? config)
+ "yes" "no"))
+ (format port "PrintLastLog ~a\n"
+ #$(if (openssh-configuration-print-last-log? config)
+ "yes" "no"))
+ (for-each
+ (match-lambda
+ ((name command) (format port "Subsystem\t~a\t~a\n" name command)))
+ '#$(openssh-configuration-subsystems config))
+ #t)))))
(define (openssh-shepherd-service config)
"Return a <shepherd-service> for openssh with CONFIG."
--
2.12.0
C
C
Clément Lassieur wrote on 21 Mar 2017 01:04
[PATCH 3/4] tests: ssh: Abstract session connection and authentication.
(address . 26173@debbugs.gnu.org)
20170321000445.23129-3-clement@lassieur.org
* gnu/tests/ssh.scm (run-ssh-test): Introduce make-session-for-test,
call-with-connected-session and call-with-connected-session/auth.
(run-ssh-test)["connect"]: Rename to "shell command". Abstract its session
connection and authentication work into the above three functions.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
gnu/tests/ssh.scm | 82 +++++++++++++++++++++++++++++++++++--------------------
1 file changed, 53 insertions(+), 29 deletions(-)

Toggle diff (110 lines)
diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm
index 456476e69..7779b7156 100644
--- a/gnu/tests/ssh.scm
+++ b/gnu/tests/ssh.scm
@@ -1,5 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -101,6 +102,47 @@ empty-password logins."
(error "file didn't show up" ,file))))
marionette))
+ (define (make-session-for-test)
+ "Make a session with predefined parameters for a test."
+ (make-session #:user "root"
+ #:port 2222
+ #:host "localhost"
+ #:log-verbosity 'protocol))
+
+ (define (call-with-connected-session proc)
+ "Call the one-argument procedure PROC with a freshly created and
+connected SSH session object, return the result of the procedure call. The
+session is disconnected when the PROC is finished."
+ (let ((session (make-session-for-test)))
+ (dynamic-wind
+ (lambda ()
+ (let ((result (connect! session)))
+ (unless (equal? result 'ok)
+ (error "Could not connect to a server"
+ session result))))
+ (lambda () (proc session))
+ (lambda () (disconnect! session)))))
+
+ (define (call-with-connected-session/auth proc)
+ "Make an authenticated session. We should be able to connect as
+root with an empty password."
+ (call-with-connected-session
+ (lambda (session)
+ ;; Try the simple authentication methods. Dropbear requires
+ ;; 'none' when there are no passwords, whereas OpenSSH accepts
+ ;; 'password' with an empty password.
+ (let loop ((methods (list (cut userauth-password! <> "")
+ (cut userauth-none! <>))))
+ (match methods
+ (()
+ (error "all the authentication methods failed"))
+ ((auth rest ...)
+ (match (pk 'auth (auth session))
+ ('success
+ (proc session))
+ ('denied
+ (loop rest)))))))))
+
(mkdir #$output)
(chdir #$output)
@@ -131,37 +173,19 @@ empty-password logins."
(current-services))))
marionette))
- ;; Connect to the guest over SSH. We should be able to connect as
- ;; "root" with an empty password. Make sure we can run a shell
+ ;; Connect to the guest over SSH. Make sure we can run a shell
;; command there.
- (test-equal "connect"
+ (test-equal "shell command"
'hello
- (let* ((session (make-session #:user "root"
- #:port 2222 #:host "localhost"
- #:log-verbosity 'protocol)))
- (match (connect! session)
- ('ok
- ;; Try the simple authentication methods. Dropbear
- ;; requires 'none' when there are no passwords, whereas
- ;; OpenSSH accepts 'password' with an empty password.
- (let loop ((methods (list (cut userauth-password! <> "")
- (cut userauth-none! <>))))
- (match methods
- (()
- (error "all the authentication methods failed"))
- ((auth rest ...)
- (match (pk 'auth (auth session))
- ('success
- ;; FIXME: 'get-server-public-key' segfaults.
- ;; (get-server-public-key session)
- (let ((channel (make-channel session)))
- (channel-open-session channel)
- (channel-request-exec channel
- "echo hello > /root/witness")
- (and (zero? (channel-get-exit-status channel))
- (wait-for-file "/root/witness"))))
- ('denied
- (loop rest))))))))))
+ (call-with-connected-session/auth
+ (lambda (session)
+ ;; FIXME: 'get-server-public-key' segfaults.
+ ;; (get-server-public-key session)
+ (let ((channel (make-channel session)))
+ (channel-open-session channel)
+ (channel-request-exec channel "echo hello > /root/witness")
+ (and (zero? (channel-get-exit-status channel))
+ (wait-for-file "/root/witness"))))))
(test-end)
(exit (= (test-runner-fail-count (test-runner-current)) 0)))))
--
2.12.0
C
C
Clément Lassieur wrote on 21 Mar 2017 01:04
[PATCH 4/4] tests: ssh: Add a test for SFTP.
(address . 26173@debbugs.gnu.org)
20170321000445.23129-4-clement@lassieur.org
* gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
Make 'sftp?' a keyword parameter.
(%test-openssh): Pass #:sftp? #t to 'run-ssh-test'.

Signed-off-by: Clément Lassieur <clement@lassieur.org>
---
gnu/tests/ssh.scm | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)

Toggle diff (63 lines)
diff --git a/gnu/tests/ssh.scm b/gnu/tests/ssh.scm
index 7779b7156..c1582c473 100644
--- a/gnu/tests/ssh.scm
+++ b/gnu/tests/ssh.scm
@@ -55,10 +55,12 @@
(services (cons service
(operating-system-user-services %base-os)))))
-(define (run-ssh-test name ssh-service pid-file)
+(define* (run-ssh-test name ssh-service pid-file #:key (sftp? #f))
"Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
SSH-SERVICE must be configured to listen on port 22 and to allow for root and
-empty-password logins."
+empty-password logins.
+
+When SFTP? is true, run an SFTP server test."
(mlet* %store-monad ((os -> (marionette-operating-system
(os-with-service ssh-service)
#:imported-modules '((gnu services herd)
@@ -81,7 +83,8 @@ empty-password logins."
(ice-9 match)
(ssh session)
(ssh auth)
- (ssh channel))
+ (ssh channel)
+ (ssh sftp))
(define marionette
;; Enable TCP forwarding of the guest's port 22.
@@ -187,6 +190,21 @@ root with an empty password."
(and (zero? (channel-get-exit-status channel))
(wait-for-file "/root/witness"))))))
+ ;; Connect to the guest over SFTP. Make sure we can write and
+ ;; read a file there.
+ (unless #$sftp?
+ (test-skip 1))
+ (test-equal "SFTP file writing and reading"
+ 'hello
+ (call-with-connected-session/auth
+ (lambda (session)
+ (let ((sftp-session (make-sftp-session session))
+ (witness "/root/sftp-witness"))
+ (call-with-remote-output-file sftp-session witness
+ (cut display "hello" <>))
+ (call-with-remote-input-file sftp-session witness
+ read)))))
+
(test-end)
(exit (= (test-runner-fail-count (test-runner-current)) 0)))))
@@ -203,7 +221,8 @@ root with an empty password."
(openssh-configuration
(permit-root-login #t)
(allow-empty-passwords? #t)))
- "/var/run/sshd.pid"))))
+ "/var/run/sshd.pid"
+ #:sftp? #t))))
(define %test-dropbear
(system-test
--
2.12.0
L
L
Leo Famulari wrote on 21 Mar 2017 01:41
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26173@debbugs.gnu.org)
20170321004111.GA6290@jasmine
On Tue, Mar 21, 2017 at 01:04:45AM +0100, Clément Lassieur wrote:
Toggle quote (6 lines)
> * gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
> Make 'sftp?' a keyword parameter.
> (%test-openssh): Pass #:sftp? #t to 'run-ssh-test'.
>
> Signed-off-by: Clément Lassieur <clement@lassieur.org>

No need to "sign off" on your own patches. In Guix, we use this field
when we commit a patch on behalf of somebody else.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljQdqQACgkQJkb6MLrK
fwj79g/8CvF5yk9y/7M1m8EOWSG3NdqF4WUzPkHxfuH9Xvdh9nwy1Ug3/YVNMtvt
A704rfJJFfjXKdz1oVwF9mbd2ot/QdstRZdwVcg0nmqJ5pV9qyXC+6hMPqVaNuIq
K3j48s37lzPqxBv9X+qqnsTwwD+LjG4ZdDRKjTj/tENl0+lcSNURq1GzTenf9PCO
TqaGsBnps4FPKkOspIrI6GJIVL8MxzCO6YQdZD4Lu+l3JlDcMf3GQYSkrvIpq35X
o110VKtqG3qgQ08/dFqrBLOPagM5Nqf6TNKoMA9dg53KQDFRxQcsjb4Gs3KqAsZJ
q2H7VYZEIRmNLQ0KgCei0PCoQIx7irKjrfMFgsfiOPQ+T7NzWgFI8zxS0l/T3ZDO
Bn1w9Z+miST60FAi0s+dKoBaBXHS1m6OT976wfsMpAS/x1Qbnq9x08gAmZCINFHz
X6JHu0bH5Xd4IT+xtP/PrH502bxMczSQxiw5tG+t3vg7vQbv6KmFGLcGSvYRXow6
YjlWB5QWWi/FnDfMxy8DAzn9T6JQk2tr9++e5Mthns4it4ncuFL6+1u4/qEKhhsK
IYDlYo6Vb38QwOmI+oCY9g8AaFRktyrsHbpyxGrH1EQVm5Me/gPd0/IGmD9Gdtt/
VKIFubwAs08v1nDTgcZY8RDGvD2ODrmOHzueY+xhwulzbV16U8g=
=8FgC
-----END PGP SIGNATURE-----


C
C
Clément Lassieur wrote on 21 Mar 2017 09:11
(name . Leo Famulari)(address . leo@famulari.name)(address . 26173@debbugs.gnu.org)
87mvcfoxqr.fsf@lassieur.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (10 lines)
> On Tue, Mar 21, 2017 at 01:04:45AM +0100, Clément Lassieur wrote:
>> * gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
>> Make 'sftp?' a keyword parameter.
>> (%test-openssh): Pass #:sftp? #t to 'run-ssh-test'.
>>
>> Signed-off-by: Clément Lassieur <clement@lassieur.org>
>
> No need to "sign off" on your own patches. In Guix, we use this field
> when we commit a patch on behalf of somebody else.

Ok! I could not find anything about it in HACKING. Is this written
somewhere else? Or maybe we should update HACKING?
M
M
Marius Bakke wrote on 21 Mar 2017 13:13
(address . 26173@debbugs.gnu.org)
87o9wu6d4w.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me
Clément Lassieur <clement@lassieur.org> writes:

Toggle quote (15 lines)
> Leo Famulari <leo@famulari.name> writes:
>
>> On Tue, Mar 21, 2017 at 01:04:45AM +0100, Clément Lassieur wrote:
>>> * gnu/tests/ssh.scm (run-ssh-test): Introduce "SFTP file writing and reading".
>>> Make 'sftp?' a keyword parameter.
>>> (%test-openssh): Pass #:sftp? #t to 'run-ssh-test'.
>>>
>>> Signed-off-by: Clément Lassieur <clement@lassieur.org>
>>
>> No need to "sign off" on your own patches. In Guix, we use this field
>> when we commit a patch on behalf of somebody else.
>
> Ok! I could not find anything about it in HACKING. Is this written
> somewhere else? Or maybe we should update HACKING?

This sounds like a good idea. There are some contributors who don't use
the '-s' flag to `git am` too, such that one has to use `git log
--format=full` to see who committed/reviewed a patch.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAljRGP8ACgkQoqBt8qM6
VPphpAf/fvbb/mUnpv7kvPKUxodD1cVVVdr0tJNhVnhwwQXCQsncINRxGsyB7BGG
kvkILcWtlmw7bBTUox1tEox5pBeotJWN8/D4/+mSYs3f/hCv7EjuWHHTeLoEdoMz
HCrGcnCoAgkaRElyQ7h3nE3+FjC6QyXpgDK0qAVjFmGMcdLefgxGYz4WW8ZddIQW
TVYPIBN5OG5mWbtefugCtfor6GdvKDWIUmOPbkS4S15LWehiG8X1NKCto/+4Bv9G
PugZcmrR53zQJQ81BI1MiWUsp2icH9LU+tj9PTXmHPnDcqzt3Ey607uZW0wypoTI
G5sx5yW216QQRZHOOQPNbd2rnZTwyg==
=YThE
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 21 Mar 2017 15:23
Re: bug#26173: [PATCH 2/4] services: openssh: Add 'subsystems' option.
(name . Clément Lassieur)(address . clement@lassieur.org)(address . 26173@debbugs.gnu.org)
87a88e1zeq.fsf@gnu.org
Clément Lassieur <clement@lassieur.org> skribis:

Toggle quote (4 lines)
> * gnu/services/ssh.scm (openssh-config-file): Add it.
> (<openssh-configuration>)[subsystems]: Add it.
> * doc/guix.texi (Networking Services): Document it.

[...]

Toggle quote (9 lines)
> +The command @command{internal-sftp} implements an in-process SFTP
> +server. Alternately, one can specify the @command{sftp-server} command:
> +@example
> +(service openssh-service-type
> + (openssh-configuration
> + (subsystems
> + '(("sftp" "/run/current-system/profile/libexec/sftp-server")))))
> +@end example

Maybe the example should use:

`(("sftp" ,(file-append openssh "/libexec/sftp-server")))

which looks better IMO (assuming it works, but I think it does.)

OK for you to push the whole series.

Thanks!

Ludo’.
L
L
Leo Famulari wrote on 21 Mar 2017 18:59
Re: bug#26173: [PATCH 4/4] tests: ssh: Add a test for SFTP.
(name . Marius Bakke)(address . mbakke@fastmail.com)
20170321175908.GB2004@jasmine
On Tue, Mar 21, 2017 at 01:13:51PM +0100, Marius Bakke wrote:
Toggle quote (8 lines)
> Clément Lassieur <clement@lassieur.org> writes:
> > Leo Famulari <leo@famulari.name> writes:
> >> No need to "sign off" on your own patches. In Guix, we use this field
> >> when we commit a patch on behalf of somebody else.
> >
> > Ok! I could not find anything about it in HACKING. Is this written
> > somewhere else? Or maybe we should update HACKING?

Okay, I think it's a nice convention. Would you like to add a sentence
or two about it?

Toggle quote (4 lines)
> This sounds like a good idea. There are some contributors who don't use
> the '-s' flag to `git am` too, such that one has to use `git log
> --format=full` to see who committed/reviewed a patch.

Overall, the Signed-off-by text is not that important, but it does save
a bit of time while reading the commit log.

As Marius points out, Git records the committer separately. Plus, the
committer information can include any text you choose, just like the
authorial information.

The PGP / GPG signature is the only thing that can actually record the
identity of the person who pushed the commit to Savannah (assuming one
does not create a useful SHA1 collision in the repository).
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljRaewACgkQJkb6MLrK
fwjsZQ/+P930hjaIM/IizwQZxPdEreOuMdeb+CLQAYiwuZOH8GdrJrD0etTZ26Nu
HjnqTfHZ/4WPXU4ggw8lXp8naZ0PfJ23LDkfUQ8kiwcgA3dza+X5lI+Jflho5EVs
2paOlSEYMdDWY2lWGFDT4VyP2hWyRIItgpfXu4lTGSaJYE5u+U0Qrrieh0S+djGX
2bCTLNZD65rgHwqimSfwNxpH32HHiFBAAsxrTgsgy2G9y1cW61UhbsdocZIeYtPC
BJfhz1XtNLQd5OzpDKoeGp0bM6zlt5gKNqfmhkkER0npbp7JjWQVbsM1q24edNxa
tEf/ZIomtauWU70zG9Nodtz5PmrG+xAGCr+OdCpCOcRjK0NKztcW0D4HFvEsvMsB
f0qjcm/AOAVjmWw8IxLQOC607fGG5JjQz/QL49UYC68Dg1+/qqmrpDbdEn5TSDRs
zIS3aP03Yv+W7fm83CQwPd0nXoA3Ttmq40nCMCfEZO/UEDm6XEWx4h1fi0CCPcwt
Q27+k1fHQMiQPsF5VKWTF1ZE3hTH1HK6B9feqe1dYZHQ//WU9B0WcVYNWcjPDUAs
j+MmNcV5sjYuZLOzCebNuYHJdE3DEO3GesuzC3yxqE4idSn+0aRvDgwLi79Aq0Pw
VVN9DBcN84jxp0BLeXup4AST7pLxRpcO1X43DHwj/9mWylKGqho=
=b7Sy
-----END PGP SIGNATURE-----


C
C
Clément Lassieur wrote on 21 Mar 2017 20:55
Re: bug#26173: [PATCH 2/4] services: openssh: Add 'subsystems' option.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 26173@debbugs.gnu.org)
87zigeieva.fsf@lassieur.org
Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (23 lines)
> Clément Lassieur <clement@lassieur.org> skribis:
>
>> * gnu/services/ssh.scm (openssh-config-file): Add it.
>> (<openssh-configuration>)[subsystems]: Add it.
>> * doc/guix.texi (Networking Services): Document it.
>
> [...]
>
>> +The command @command{internal-sftp} implements an in-process SFTP
>> +server. Alternately, one can specify the @command{sftp-server} command:
>> +@example
>> +(service openssh-service-type
>> + (openssh-configuration
>> + (subsystems
>> + '(("sftp" "/run/current-system/profile/libexec/sftp-server")))))
>> +@end example
>
> Maybe the example should use:
>
> `(("sftp" ,(file-append openssh "/libexec/sftp-server")))
>
> which looks better IMO (assuming it works, but I think it does.)

It works, done.

Toggle quote (2 lines)
> OK for you to push the whole series.

Pushed!

Clément
C
C
Clément Lassieur wrote on 21 Mar 2017 22:23
Re: bug#26173: [PATCH 4/4] tests: ssh: Add a test for SFTP.
(name . Leo Famulari)(address . leo@famulari.name)
87var2iati.fsf@lassieur.org
Leo Famulari <leo@famulari.name> writes:

Toggle quote (12 lines)
> On Tue, Mar 21, 2017 at 01:13:51PM +0100, Marius Bakke wrote:
>> Clément Lassieur <clement@lassieur.org> writes:
>> > Leo Famulari <leo@famulari.name> writes:
>> >> No need to "sign off" on your own patches. In Guix, we use this field
>> >> when we commit a patch on behalf of somebody else.
>> >
>> > Ok! I could not find anything about it in HACKING. Is this written
>> > somewhere else? Or maybe we should update HACKING?
>
> Okay, I think it's a nice convention. Would you like to add a sentence
> or two about it?


Toggle quote (14 lines)
>> This sounds like a good idea. There are some contributors who don't use
>> the '-s' flag to `git am` too, such that one has to use `git log
>> --format=full` to see who committed/reviewed a patch.
>
> Overall, the Signed-off-by text is not that important, but it does save
> a bit of time while reading the commit log.
>
> As Marius points out, Git records the committer separately. Plus, the
> committer information can include any text you choose, just like the
> authorial information.
>
> The PGP / GPG signature is the only thing that can actually record the
> identity of the person who pushed the commit to Savannah (assuming one
> does not create a useful SHA1 collision in the repository).
C
C
Clément Lassieur wrote on 21 Mar 2017 22:51
control message for bug #26173
(address . control@debbugs.gnu.org)
87pohai9ii.fsf@lassieur.org
tags 26173 fixed
close 26173
?