openssh: root 'without-password & password-authentication #f both breaks service

OpenSubmitted by Christopher Allan Webber.
Details
3 participants
  • Chris Marusich
  • Christopher Allan Webber
  • Leo Famulari
Owner
unassigned
Severity
normal
C
C
Christopher Allan Webber wrote on 28 Apr 2017 16:52
(address . bug-guix@gnu.org)
87h918twir.fsf@dustycloud.org
I wanted to permit root logins but only permit public key authentication
in my openssh configuration. This was my original assumption of how to
do it:

(service openssh-service-type
(openssh-configuration
(permit-root-login 'without-password)
(password-authentication? #f)))

However, for whatever reason, openssh fails to start with this
combination. However, it turns out this is redundant, since the
configuration is already only permitting with public key authentication.

(service openssh-service-type
(openssh-configuration
(permit-root-login #t)
(password-authentication? #f)))

This route is sufficient.

However maybe we should prevent people from accidentally causing openssh
to not start. Here's a suggested route... though I haven't tested it:

#+BEGIN_SRC diff
Toggle diff (20 lines)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9917c311c..f1f2ab3dc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -342,7 +342,13 @@ The other options should be self-descriptive."
                    #$(match (openssh-configuration-permit-root-login config)
                        (#t "yes")
                        (#f "no")
-                       ('without-password "without-password")))
+                       ('without-password
+                        ;; If we've already disabled password-authentication, this
+                        ;; is redundant, and even stops the openssh server from
+                        ;; starting up
+                        (if (openssh-configuration-password-authentication? config)
+                            "without-password"
+                            "yes"))))
            (format port "PermitEmptyPasswords ~a\n"
                    #$(if (openssh-configuration-allow-empty-passwords? config)
                          "yes" "no"))
#+END_SRC
L
L
Leo Famulari wrote on 28 Apr 2017 21:29
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 26696@debbugs.gnu.org)
20170428192944.GC6736@jasmine
On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote:
Toggle quote (13 lines)
> I wanted to permit root logins but only permit public key authentication
> in my openssh configuration. This was my original assumption of how to
> do it:
>
> (service openssh-service-type
> (openssh-configuration
> (permit-root-login 'without-password)
> (password-authentication? #f)))
>
> However, for whatever reason, openssh fails to start with this
> combination. However, it turns out this is redundant, since the
> configuration is already only permitting with public key authentication.

Do you still have the generated sshd_config files handy, so we can
compare them and figure out what's broken?
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkDmCgACgkQJkb6MLrK
fwiskA/8DjrhL0/mHJRPkM3ZNbS7hKo0622AtkrIrFTJ5usS3veIA6fahihqEDve
RaHAMFrq2Muns/TuQVzqgiQVZjbIStef1sGbn/z90kP61XWX2N0+X2xBcsxso24+
CAjrKqjuZ90WrbeOEksN8fweqh/xguWtqCrnf1z/dUmM/pyNU7zmc1QYLnGV0Shw
X+yMDNIN80qYpOkAbtE+qpU2WR6X86oCh5eja31jeMaENJV0Bz13rk3HUd92AzHC
JBnnzenT+mWG5F3SwYUtzwYxFKPndNHVE+lleSbpTwKmyTwV9+lFtl/KRUp2qOEW
WJRfYm+mWhW3lOuu1XAD1LIEtV4WF+G/JvTrPY1k0FJ7knSqI0ggZ32BtbdZRV28
GxxoE43Q4hTSfTsnBfg+X62+ej0Vzp4fwIFqQg/IUUzU8XtnKhDUvAEihQ7B1suW
KN0IxrC9NLah2/UzyJOtdYe8q2RhZRmwZ2lXJi28XRPhEi4l8aQR+QG2x4kWqA6z
SRMuqNpiwwcGVqjccVUdPZCdnaiLDHVHam1R09x2PvJmDA3txXhdEVNZWBKsdE1W
3nRZBWovZRH8e6N+El41AecwLqUQCsgoQKa+w142BmpTxKxhspHkIYXv/4991BMq
v/LPE5XJLNRXaPuLOehto+cW7ze7JDSW/ZcxplAwdKMU2QHB8Vc=
=oTHR
-----END PGP SIGNATURE-----


C
C
Chris Marusich wrote on 30 Apr 2017 21:53
(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 26696@debbugs.gnu.org)
87vaplfza9.fsf@gmail.com
Christopher Allan Webber <cwebber@dustycloud.org> writes:

Toggle quote (20 lines)
> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -342,7 +342,13 @@ The other options should be self-descriptive."
> #$(match (openssh-configuration-permit-root-login config)
> (#t "yes")
> (#f "no")
> - ('without-password "without-password")))
> + ('without-password
> + ;; If we've already disabled password-authentication, this
> + ;; is redundant, and even stops the openssh server from
> + ;; starting up
> + (if (openssh-configuration-password-authentication? config)
> + "without-password"
> + "yes"))))
> (format port "PermitEmptyPasswords ~a\n"
> #$(if (openssh-configuration-allow-empty-passwords? config)
> "yes" "no"))
> #+END_SRC
>

Would it be better to fail with an error here? I'd be a little confused
and disturbed if I specified 'without-password expecting to get
"without-password" for the value of PermitRootLogin, but later found
that the OpenSSH daemon's config file contained the un-requested value
"yes", even if the end result happens to have the desired effect.

However, if this special case is clearly documented in the Guix manual,
then I'd be less off-put by it.

--
Chris
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGQJ4ACgkQ3UCaFdgi
Rp2Y+A//b6Sqlb/akpsYc84dJGG3QDRYFA1pk9qW3s6h1zlta9J/7ELkQqTdFtYV
ML07HpKc/kfkU1wnBENyJamHFBgbB7KTmqXOuJvBbR1yH6jda1PwiSO1Z4bnvDa2
Bo5ZN1tUZV5S10xd+R3D0zsSDRsRqwf8QEnrQxAaCg/4V6zsfc0CelgZnBnmKbUM
JL9Sp5rYg2BPgI5cjHjzQ345LyX4E62r66cwNOtRbwVae9gD88wYbLBaEI1OLBuS
M8ZFDQXgbHRpAWZwveKSBGqmgxwrQytOqTMG0LM77AkYyOnjIjJfpJlBGmnTFqdf
xLml6cmWa2B/1XM4o/wS73B9WtfoomzmTyKDgrY4Bx2csKNCgAMzix9iG5P2Ex/q
nv9WOytmb6o24MJbGtbzPYxGdMEc9aA0YXCxU0hkY8tB6PhaiP5xAPM/yTh1J7I9
a3lj/OTXcTlMhL0tuzTVJcRf+gRhB9+0rQdI3bwOdyCJeXf6m6Vh6UGG9FhOOk7k
qsz6NQ2YMokEBUZvaA0TfkhwfRpRr1ilnIL+1jVZot5oW2GTzPYWJzPTKCcQVff2
JKezJm8+/PU+vNmGlm1PNn1Q3rq1oxpIwnHyqla0osR745YrMFnchebvJTkHC7H2
3FfiQyWD2sF4ZkdNFf3+aclfLbyeSk003kVWMrwcm3Zs6+X6KAo=
=DUuQ
-----END PGP SIGNATURE-----

?