openssh: root 'without-password & password-authentication #f both breaks service

Open

Details

3 participants

Chris Marusich
Christopher Allan Webber
Leo Famulari

Owner: unassigned

Submitted by: Christopher Allan Webber

Severity: normal

Christopher Allan Webber wrote on 28 Apr 2017 16:52

Recipients:(address . bug-guix@gnu.org)

Message-ID:87h918twir.fsf@dustycloud.org

I wanted to permit root logins but only permit public key authentication

in my openssh configuration. This was my original assumption of how to

do it:

(service openssh-service-type

(openssh-configuration

(permit-root-login 'without-password)

(password-authentication? #f)))

However, for whatever reason, openssh fails to start with this

combination. However, it turns out this is redundant, since the

configuration is already only permitting with public key authentication.

(service openssh-service-type

(openssh-configuration

(permit-root-login #t)

(password-authentication? #f)))

This route is sufficient.

However maybe we should prevent people from accidentally causing openssh

to not start. Here's a suggested route... though I haven't tested it:

#+BEGIN_SRC diff

Toggle diff (20 lines)diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9917c311c..f1f2ab3dc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -342,7 +342,13 @@ The other options should be self-descriptive."
                    #$(match (openssh-configuration-permit-root-login config)
                        (#t "yes")
                        (#f "no")
-                       ('without-password "without-password")))
+                       ('without-password
+                        ;; If we've already disabled password-authentication, this
+                        ;; is redundant, and even stops the openssh server from
+                        ;; starting up
+                        (if (openssh-configuration-password-authentication? config)
+                            "without-password"
+                            "yes"))))
            (format port "PermitEmptyPasswords ~a\n"
                    #$(if (openssh-configuration-allow-empty-passwords? config)
                          "yes" "no"))
#+END_SRC

Leo Famulari wrote on 28 Apr 2017 21:29

Recipients:(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 26696@debbugs.gnu.org)

Message-ID:20170428192944.GC6736@jasmine

On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote:

Toggle quote (13 lines)> I wanted to permit root logins but only permit public key authentication
> in my openssh configuration.  This was my original assumption of how to
> do it:
> 
>   (service openssh-service-type
>           (openssh-configuration
>            (permit-root-login 'without-password)
>            (password-authentication? #f)))
> 
> However, for whatever reason, openssh fails to start with this
> combination.  However, it turns out this is redundant, since the
> configuration is already only permitting with public key authentication.

Do you still have the generated sshd_config files handy, so we can

compare them and figure out what's broken?

Chris Marusich wrote on 30 Apr 2017 21:53

Recipients:(name . Christopher Allan Webber)(address . cwebber@dustycloud.org)(address . 26696@debbugs.gnu.org)

Message-ID:87vaplfza9.fsf@gmail.com

Christopher Allan Webber <cwebber@dustycloud.org> writes:

Toggle quote (20 lines)> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -342,7 +342,13 @@ The other options should be self-descriptive."
>                     #$(match (openssh-configuration-permit-root-login config)
>                         (#t "yes")
>                         (#f "no")
> -                       ('without-password "without-password")))
> +                       ('without-password
> +                        ;; If we've already disabled password-authentication, this
> +                        ;; is redundant, and even stops the openssh server from
> +                        ;; starting up
> +                        (if (openssh-configuration-password-authentication? config)
> +                            "without-password"
> +                            "yes"))))
>             (format port "PermitEmptyPasswords ~a\n"
>                     #$(if (openssh-configuration-allow-empty-passwords? config)
>                           "yes" "no"))
> #+END_SRC
>

Would it be better to fail with an error here?  I'd be a little confused
and disturbed if I specified 'without-password expecting to get
"without-password" for the value of PermitRootLogin, but later found
that the OpenSSH daemon's config file contained the un-requested value
"yes", even if the end result happens to have the desired effect.

However, if this special case is clearly documented in the Guix manual,
then I'd be less off-put by it.

-- 
Chris

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 26696@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 26696

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date