[PATCH] doc: Secure Shell: Add note about sshd and wrong permissions

  • Open
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • zero@fedora
Owner
unassigned
Submitted by
zero@fedora
Severity
normal
Z
Z
zero@fedora wrote on 12 Dec 2023 00:35
(address . guix-patches@gnu.org)(name . zero@fedora)(address . shinyzero0@tilde.club)
20231211233532.63690-1-shinyzero0@tilde.club
* doc/guix.texi (Home services: Secure Shell): Add note about sshd blocking connections because of wrong permissions
---
doc/guix.texi | 7 +++++++
1 file changed, 7 insertions(+)

Toggle diff (20 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 7dde9b727b..832fed3b97 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -44306,6 +44306,13 @@ predictable fashion, almost independently of state on the local machine.
To do that, you instantiate @code{home-openssh-service-type} in your
Home configuration, as explained below.
+@quotation Note
+Note that @command{sshd} will block any @command{ssh} connections to you if
+your files in @file{~/.ssh} have wrong permissions or ownership, as the ones
+created by this service do. To fix that, you need to set @code{StrictModes=no}
+in your @command{sshd} configuration
+@end quotation
+
@defvar home-openssh-service-type
This is the type of the service to set up the OpenSSH client. It takes
care of several things:
--
2.43.0
L
L
Ludovic Courtès wrote on 14 Dec 2023 14:43
(name . zero@fedora)(address . shinyzero0@tilde.club)(address . 67789@debbugs.gnu.org)
87le9wx5kt.fsf@gnu.org
Hello,

"zero@fedora" <shinyzero0@tilde.club> skribis:

Toggle quote (2 lines)
> * doc/guix.texi (Home services: Secure Shell): Add note about sshd blocking connections because of wrong permissions

[...]

Toggle quote (7 lines)
> +@quotation Note
> +Note that @command{sshd} will block any @command{ssh} connections to you if
> +your files in @file{~/.ssh} have wrong permissions or ownership, as the ones
> +created by this service do. To fix that, you need to set @code{StrictModes=no}
> +in your @command{sshd} configuration
> +@end quotation

I think we’d rather fix the permissions of those files than document the
bug.

On my laptop permissions seem to be good:

Toggle snippet (8 lines)
$ ls -ld ~/.ssh/authorized_keys
lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys
$ ls -ld ~/.ssh
drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/
$ ssh localhost uname
Linux

Maybe there are cases when this is not the case, maybe when ~/.ssh does
not exist prior to running ‘guix home reconfigure’?

Thanks,
Ludo’.
L
L
Ludovic Courtès wrote on 14 Dec 2023 14:43
control message for bug #67789
(address . control@debbugs.gnu.org)
87jzpgx5kn.fsf@gnu.org
tags 67789 + moreinfo
quit
S
S
ShinyZero0 wrote on 15 Dec 2023 20:24
Re: [bug#67789] [PATCH] doc: Secure Shell: Add note about sshd and wrong permissions
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 67789@debbugs.gnu.org)
CXP5IXYUT1EA.2VBTIL3Q5CK0P@fedora
On Thu Dec 14, 2023 at 4:43 PM MSK, Ludovic Courtès wrote:
Toggle quote (17 lines)
> On my laptop permissions seem to be good:
>
> --8<---------------cut here---------------start------------->8---
> $ ls -ld ~/.ssh/authorized_keys
> lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys
> $ ls -ld ~/.ssh
> drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/
> $ ssh localhost uname
> Linux
> --8<---------------cut here---------------end--------------->8---
>
> Maybe there are cases when this is not the case, maybe when ~/.ssh does
> not exist prior to running ‘guix home reconfigure’?
>
> Thanks,
> Ludo’.

I'm using guix on foreign (Fedora) distro, obviously i had ~/.ssh
directory with right permissions before replacing it with guix-generated
one. Maybe it's vice versa: the permissions are wrong when the ~/.ssh is
being replaced?
Honestly, i thought it's unfixable, like, can we change
the permissions of a symlink?
Oh, and i checked my permissions, and they are the same. Maybe the
problem is in somewhere within my sshd?
Thanks,
Paul.
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 67789@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 67789
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch