From debbugs-submit-bounces@debbugs.gnu.org Sun Apr 30 15:53:13 2017 Received: (at 26696) by debbugs.gnu.org; 30 Apr 2017 19:53:13 +0000 Received: from localhost ([127.0.0.1]:48091 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4uu9-0001QC-1z for submit@debbugs.gnu.org; Sun, 30 Apr 2017 15:53:13 -0400 Received: from mail-pf0-f172.google.com ([209.85.192.172]:35151) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1d4uu6-0001Py-Hk for 26696@debbugs.gnu.org; Sun, 30 Apr 2017 15:53:10 -0400 Received: by mail-pf0-f172.google.com with SMTP id v14so67870813pfd.2 for <26696@debbugs.gnu.org>; Sun, 30 Apr 2017 12:53:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=p0SsiXwQEGQpzvF2jD8Wim5AOlfU5vOgs0b1GdTSVLo=; b=sOmqYKE7UDRpsJdzTpNEYe+/uw9jduzenizG7R/goWlVDE2Qn5kNWGeZwx6qnjc8MQ J92pdPMnBZDOYccKK/PubMxLihSkPt1JFR6A2EmA3eTlfF51TzfLttmdzSNDVDL2+Vpm py2efnmks9/0CiSwNLvBDHIi/klOxAVrENX9VYuJKZmhZPdjlMWq/wD+vWNOCMYs7gp4 9lZbn0WJEfHpdQmgwUnLMdUAdHwy8yT065HWnCl2z1G/twNf3ZUagxa7ygxPYWDZnNHb vWoP6J257OyFGu6V6/IB4UVHWvl0Y3QUCfGyshQxrDneWb0qp7Xep0prG1pbZtDkG6hE E+Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=p0SsiXwQEGQpzvF2jD8Wim5AOlfU5vOgs0b1GdTSVLo=; b=uJ4HxPo6yzqsJlpnkUA8Uvku/GZ7He4IBaMmh22zoeVm2b15ZIOnI+llHqRmAvZnan W6/pc2OweQUjbOiFKFXvq/gNX6nrp9hSktPMhMVABX3w/7vOy5HgAKEV6XlnsRHDqABs Mgi8fgziqWzYUO41ii59xCwaoDrJ6XY+Xt5AmJfw74q3iX6nhhpBVH+uMSCBZQI7/Xjh 7Ii6idj/AUSFkZvE7jmkuXMW/KW8RGNEeVP9FC6VkNl603ZYgUwhd4DHEdrOW6slihr5 RjF2ovfaHKI3IZsaAlCA9tFH5U2z0sC3c/plUb7ZyE/XDtLitikwJd8bDqJEbYvxVLsj OMAQ== X-Gm-Message-State: AN3rC/7CLOV63KXDZ1HPeI67g9Lo74CX2+Ov15Btxr/5Oej2J36TVxcD BslkrW0MnWIbHg== X-Received: by 10.98.93.147 with SMTP id n19mr23046458pfj.226.1493581984345; Sun, 30 Apr 2017 12:53:04 -0700 (PDT) Received: from garuda (c-24-18-189-215.hsd1.wa.comcast.net. [24.18.189.215]) by smtp.gmail.com with ESMTPSA id o124sm18987009pfb.92.2017.04.30.12.53.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sun, 30 Apr 2017 12:53:03 -0700 (PDT) From: Chris Marusich To: Christopher Allan Webber Subject: Re: bug#26696: openssh: root 'without-password & password-authentication #f both breaks service References: <87h918twir.fsf@dustycloud.org> Date: Sun, 30 Apr 2017 12:53:02 -0700 In-Reply-To: <87h918twir.fsf@dustycloud.org> (Christopher Allan Webber's message of "Fri, 28 Apr 2017 09:52:12 -0500") Message-ID: <87vaplfza9.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 26696 Cc: 26696@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.3 (--) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Christopher Allan Webber writes: > --- a/gnu/services/ssh.scm > +++ b/gnu/services/ssh.scm > @@ -342,7 +342,13 @@ The other options should be self-descriptive." > #$(match (openssh-configuration-permit-root-login con= fig) > (#t "yes") > (#f "no") > - ('without-password "without-password"))) > + ('without-password > + ;; If we've already disabled password-authentica= tion, this > + ;; is redundant, and even stops the openssh serv= er from > + ;; starting up > + (if (openssh-configuration-password-authenticati= on? config) > + "without-password" > + "yes")))) > (format port "PermitEmptyPasswords ~a\n" > #$(if (openssh-configuration-allow-empty-passwords? c= onfig) > "yes" "no")) > #+END_SRC > Would it be better to fail with an error here? I'd be a little confused and disturbed if I specified 'without-password expecting to get "without-password" for the value of PermitRootLogin, but later found that the OpenSSH daemon's config file contained the un-requested value "yes", even if the end result happens to have the desired effect. However, if this special case is clearly documented in the Guix manual, then I'd be less off-put by it. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAlkGQJ4ACgkQ3UCaFdgi Rp2Y+A//b6Sqlb/akpsYc84dJGG3QDRYFA1pk9qW3s6h1zlta9J/7ELkQqTdFtYV ML07HpKc/kfkU1wnBENyJamHFBgbB7KTmqXOuJvBbR1yH6jda1PwiSO1Z4bnvDa2 Bo5ZN1tUZV5S10xd+R3D0zsSDRsRqwf8QEnrQxAaCg/4V6zsfc0CelgZnBnmKbUM JL9Sp5rYg2BPgI5cjHjzQ345LyX4E62r66cwNOtRbwVae9gD88wYbLBaEI1OLBuS M8ZFDQXgbHRpAWZwveKSBGqmgxwrQytOqTMG0LM77AkYyOnjIjJfpJlBGmnTFqdf xLml6cmWa2B/1XM4o/wS73B9WtfoomzmTyKDgrY4Bx2csKNCgAMzix9iG5P2Ex/q nv9WOytmb6o24MJbGtbzPYxGdMEc9aA0YXCxU0hkY8tB6PhaiP5xAPM/yTh1J7I9 a3lj/OTXcTlMhL0tuzTVJcRf+gRhB9+0rQdI3bwOdyCJeXf6m6Vh6UGG9FhOOk7k qsz6NQ2YMokEBUZvaA0TfkhwfRpRr1ilnIL+1jVZot5oW2GTzPYWJzPTKCcQVff2 JKezJm8+/PU+vNmGlm1PNn1Q3rq1oxpIwnHyqla0osR745YrMFnchebvJTkHC7H2 3FfiQyWD2sF4ZkdNFf3+aclfLbyeSk003kVWMrwcm3Zs6+X6KAo= =DUuQ -----END PGP SIGNATURE----- --=-=-=--