openssh: root 'without-password & password-authentication #f both breaks service

OpenSubmitted by Christopher Allan Webber.
Details
3 participants
  • Chris Marusich
  • Christopher Allan Webber
  • Leo Famulari
Owner
unassigned
Severity
normal
C
C
Christopher Allan Webber wrote on 28 Apr 2017 16:52
(address . bug-guix@gnu.org)
87h918twir.fsf@dustycloud.org
I wanted to permit root logins but only permit public key authenticationin my openssh configuration. This was my original assumption of how todo it:
(service openssh-service-type (openssh-configuration (permit-root-login 'without-password) (password-authentication? #f)))
However, for whatever reason, openssh fails to start with thiscombination. However, it turns out this is redundant, since theconfiguration is already only permitting with public key authentication.
(service openssh-service-type (openssh-configuration (permit-root-login #t) (password-authentication? #f)))
This route is sufficient.
However maybe we should prevent people from accidentally causing opensshto not start. Here's a suggested route... though I haven't tested it:
#+BEGIN_SRC diff
Toggle diff (20 lines)diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scmindex 9917c311c..f1f2ab3dc 100644--- a/gnu/services/ssh.scm+++ b/gnu/services/ssh.scm@@ -342,7 +342,13 @@ The other options should be self-descriptive." #$(match (openssh-configuration-permit-root-login config) (#t "yes") (#f "no")- ('without-password "without-password")))+ ('without-password+ ;; If we've already disabled password-authentication, this+ ;; is redundant, and even stops the openssh server from+ ;; starting up+ (if (openssh-configuration-password-authentication? config)+ "without-password"+ "yes")))) (format port "PermitEmptyPasswords ~a\n" #$(if (openssh-configuration-allow-empty-passwords? config) "yes" "no"))#+END_SRC
L
L
Leo Famulari wrote on 28 Apr 2017 21:29
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 26696@debbugs.gnu.org)
20170428192944.GC6736@jasmine
On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote:
Toggle quote (13 lines)> I wanted to permit root logins but only permit public key authentication> in my openssh configuration. This was my original assumption of how to> do it:> > (service openssh-service-type> (openssh-configuration> (permit-root-login 'without-password)> (password-authentication? #f)))> > However, for whatever reason, openssh fails to start with this> combination. However, it turns out this is redundant, since the> configuration is already only permitting with public key authentication.
Do you still have the generated sshd_config files handy, so we cancompare them and figure out what's broken?
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkDmCgACgkQJkb6MLrKfwiskA/8DjrhL0/mHJRPkM3ZNbS7hKo0622AtkrIrFTJ5usS3veIA6fahihqEDveRaHAMFrq2Muns/TuQVzqgiQVZjbIStef1sGbn/z90kP61XWX2N0+X2xBcsxso24+CAjrKqjuZ90WrbeOEksN8fweqh/xguWtqCrnf1z/dUmM/pyNU7zmc1QYLnGV0ShwX+yMDNIN80qYpOkAbtE+qpU2WR6X86oCh5eja31jeMaENJV0Bz13rk3HUd92AzHCJBnnzenT+mWG5F3SwYUtzwYxFKPndNHVE+lleSbpTwKmyTwV9+lFtl/KRUp2qOEWWJRfYm+mWhW3lOuu1XAD1LIEtV4WF+G/JvTrPY1k0FJ7knSqI0ggZ32BtbdZRV28GxxoE43Q4hTSfTsnBfg+X62+ej0Vzp4fwIFqQg/IUUzU8XtnKhDUvAEihQ7B1suWKN0IxrC9NLah2/UzyJOtdYe8q2RhZRmwZ2lXJi28XRPhEi4l8aQR+QG2x4kWqA6zSRMuqNpiwwcGVqjccVUdPZCdnaiLDHVHam1R09x2PvJmDA3txXhdEVNZWBKsdE1W3nRZBWovZRH8e6N+El41AecwLqUQCsgoQKa+w142BmpTxKxhspHkIYXv/4991BMqv/LPE5XJLNRXaPuLOehto+cW7ze7JDSW/ZcxplAwdKMU2QHB8Vc==oTHR-----END PGP SIGNATURE-----

C
C
Chris Marusich wrote on 30 Apr 2017 21:53
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 26696@debbugs.gnu.org)
87vaplfza9.fsf@gmail.com
Christopher Allan Webber <cwebber@dustycloud.org> writes:
Toggle quote (20 lines)> --- a/gnu/services/ssh.scm> +++ b/gnu/services/ssh.scm> @@ -342,7 +342,13 @@ The other options should be self-descriptive."> #$(match (openssh-configuration-permit-root-login config)> (#t "yes")> (#f "no")> - ('without-password "without-password")))> + ('without-password> + ;; If we've already disabled password-authentication, this> + ;; is redundant, and even stops the openssh server from> + ;; starting up> + (if (openssh-configuration-password-authentication? config)> + "without-password"> + "yes"))))> (format port "PermitEmptyPasswords ~a\n"> #$(if (openssh-configuration-allow-empty-passwords? config)> "yes" "no"))> #+END_SRC>
Would it be better to fail with an error here? I'd be a little confusedand disturbed if I specified 'without-password expecting to get"without-password" for the value of PermitRootLogin, but later foundthat the OpenSSH daemon's config file contained the un-requested value"yes", even if the end result happens to have the desired effect.
However, if this special case is clearly documented in the Guix manual,then I'd be less off-put by it.
-- Chris
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGQJ4ACgkQ3UCaFdgiRp2Y+A//b6Sqlb/akpsYc84dJGG3QDRYFA1pk9qW3s6h1zlta9J/7ELkQqTdFtYVML07HpKc/kfkU1wnBENyJamHFBgbB7KTmqXOuJvBbR1yH6jda1PwiSO1Z4bnvDa2Bo5ZN1tUZV5S10xd+R3D0zsSDRsRqwf8QEnrQxAaCg/4V6zsfc0CelgZnBnmKbUMJL9Sp5rYg2BPgI5cjHjzQ345LyX4E62r66cwNOtRbwVae9gD88wYbLBaEI1OLBuSM8ZFDQXgbHRpAWZwveKSBGqmgxwrQytOqTMG0LM77AkYyOnjIjJfpJlBGmnTFqdfxLml6cmWa2B/1XM4o/wS73B9WtfoomzmTyKDgrY4Bx2csKNCgAMzix9iG5P2Ex/qnv9WOytmb6o24MJbGtbzPYxGdMEc9aA0YXCxU0hkY8tB6PhaiP5xAPM/yTh1J7I9a3lj/OTXcTlMhL0tuzTVJcRf+gRhB9+0rQdI3bwOdyCJeXf6m6Vh6UGG9FhOOk7kqsz6NQ2YMokEBUZvaA0TfkhwfRpRr1ilnIL+1jVZot5oW2GTzPYWJzPTKCcQVff2JKezJm8+/PU+vNmGlm1PNn1Q3rq1oxpIwnHyqla0osR745YrMFnchebvJTkHC7H23FfiQyWD2sF4ZkdNFf3+aclfLbyeSk003kVWMrwcm3Zs6+X6KAo==DUuQ-----END PGP SIGNATURE-----
?