[PATCH] doc: Secure Shell: Add note about sshd and wrong permissions

  • Open
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • zero@fedora
Owner
unassigned
Submitted by
zero@fedora
Severity
normal
Z
Z
zero@fedora wrote on 12 Dec 2023 00:35
(address . guix-patches@gnu.org)(name . zero@fedora)(address . shinyzero0@tilde.club)
20231211233532.63690-1-shinyzero0@tilde.club
* doc/guix.texi (Home services: Secure Shell): Add note about sshd blocking connections because of wrong permissions
---
doc/guix.texi | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (20 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 7dde9b727b..832fed3b97 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -44306,6 +44306,13 @@ predictable fashion, almost independently of state on the local machine.
To do that, you instantiate @code{home-openssh-service-type} in your
Home configuration, as explained below.
+@quotation Note
+Note that @command{sshd} will block any @command{ssh} connections to you if
+your files in @file{~/.ssh} have wrong permissions or ownership, as the ones
+created by this service do. To fix that, you need to set @code{StrictModes=no}
+in your @command{sshd} configuration
+@end quotation
+
@defvar home-openssh-service-type
This is the type of the service to set up the OpenSSH client. It takes
care of several things:
--
2.43.0
L
L
Ludovic Courtès wrote on 14 Dec 2023 14:43
(name . zero@fedora)(address . shinyzero0@tilde.club)(address . 67789@debbugs.gnu.org)
87le9wx5kt.fsf@gnu.org
Hello,

"zero@fedora" <shinyzero0@tilde.club> skribis:

Toggle quote (2 lines)
> * doc/guix.texi (Home services: Secure Shell): Add note about sshd blocking connections because of wrong permissions

[...]

Toggle quote (7 lines)
> +@quotation Note
> +Note that @command{sshd} will block any @command{ssh} connections to you if
> +your files in @file{~/.ssh} have wrong permissions or ownership, as the ones
> +created by this service do. To fix that, you need to set @code{StrictModes=no}
> +in your @command{sshd} configuration
> +@end quotation

I think we’d rather fix the permissions of those files than document the
bug.

On my laptop permissions seem to be good:

Toggle snippet (8 lines)
$ ls -ld ~/.ssh/authorized_keys
lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys
$ ls -ld ~/.ssh
drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/
$ ssh localhost uname
Linux

Maybe there are cases when this is not the case, maybe when ~/.ssh does
not exist prior to running ‘guix home reconfigure’?

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 14 Dec 2023 14:43
control message for bug #67789
(address . control@debbugs.gnu.org)
87jzpgx5kn.fsf@gnu.org
tags 67789 + moreinfo
quit
S
S
ShinyZero0 wrote on 15 Dec 2023 20:24
Re: [bug#67789] [PATCH] doc: Secure Shell: Add note about sshd and wrong permissions
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 67789@debbugs.gnu.org)
CXP5IXYUT1EA.2VBTIL3Q5CK0P@fedora
On Thu Dec 14, 2023 at 4:43 PM MSK, Ludovic Courtès wrote:
Toggle quote (17 lines)
> On my laptop permissions seem to be good:
>
> --8<---------------cut here---------------start------------->8---
> $ ls -ld ~/.ssh/authorized_keys
> lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys
> $ ls -ld ~/.ssh
> drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/
> $ ssh localhost uname
> Linux
> --8<---------------cut here---------------end--------------->8---
>
> Maybe there are cases when this is not the case, maybe when ~/.ssh does
> not exist prior to running ‘guix home reconfigure’?
>
> Thanks,
> Ludo’.

I'm using guix on foreign (Fedora) distro, obviously i had ~/.ssh
directory with right permissions before replacing it with guix-generated
one. Maybe it's vice versa: the permissions are wrong when the ~/.ssh is
being replaced?
Honestly, i thought it's unfixable, like, can we change
the permissions of a symlink?
Oh, and i checked my permissions, and they are the same. Maybe the
problem is in somewhere within my sshd?
Thanks,
Paul.
?