[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
05/06: services: openssh: Warn about 'password-authentication?' default.
From: |
guix-commits |
Subject: |
05/06: services: openssh: Warn about 'password-authentication?' default. |
Date: |
Mon, 7 Dec 2020 06:49:54 -0500 (EST) |
civodul pushed a commit to branch master
in repository guix.
commit aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Dec 7 12:34:26 2020 +0100
services: openssh: Warn about 'password-authentication?' default.
Fixes <https://bugs.gnu.org/44808>.
Reported by Christopher Lemmer Webber <cwebber@dustycloud.org>.
* gnu/services/ssh.scm (true-but-soon-false): New procedure.
(<openssh-configuration>)[password-authentication?]: Change default to
'true-but-soon-false'.
* gnu/installer/services.scm (%system-services): Explicitly set
'password-authentication?' to #f.
---
gnu/installer/services.scm | 8 ++++++--
gnu/services/ssh.scm | 18 ++++++++++++++++--
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm
index ec5ea30..14a3bb9 100644
--- a/gnu/installer/services.scm
+++ b/gnu/installer/services.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com>
-;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
;;;
;;; This file is part of GNU Guix.
@@ -93,7 +93,11 @@
(system-service
(name (G_ "OpenSSH secure shell daemon (sshd)"))
(type 'networking)
- (snippet '((service openssh-service-type))))
+ (snippet '((service openssh-service-type
+ (openssh-configuration
+ ;; Currently the default is #t but it's considered
+ ;; unsafe. Explicitly pass #f.
+ (password-authentication? #f))))))
(system-service
(name (G_ "Tor anonymous network router"))
(type 'networking)
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 1891db0..1e45495 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -1,5 +1,5 @@
;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès
<ludo@gnu.org>
+;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès
<ludo@gnu.org>
;;; Copyright © 2016 David Craven <david@craven.ch>
;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
@@ -33,6 +33,9 @@
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (guix modules)
+ #:use-module ((guix i18n) #:select (G_))
+ #:use-module ((guix diagnostics) #:select (warning
source-properties->location))
+ #:use-module ((guix memoization) #:select (mlambda))
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-26)
#:use-module (ice-9 match)
@@ -276,6 +279,16 @@ The other options should be self-descriptive."
;;; OpenSSH.
;;;
+(define true-but-soon-false
+ (mlambda (loc)
+ ;; The plan is to change the default 'password-authentication?' to #f in
+ ;; Guix 1.3.0 or so. See <https://issues.guix.gnu.org/44808>.
+ (warning (source-properties->location loc)
+ (G_ "The default value of the 'password-authentication?'
+field of 'openssh-configuration' will change from #true to #false in the
+future. Explicitly set it to #true to allow password authentication.~%"))
+ #t))
+
(define-record-type* <openssh-configuration>
openssh-configuration make-openssh-configuration
openssh-configuration?
@@ -296,7 +309,8 @@ The other options should be self-descriptive."
(default #f))
;; Boolean
(password-authentication? openssh-configuration-password-authentication?
- (default #t))
+ (default (true-but-soon-false
+ (current-source-location))))
;; Boolean
(public-key-authentication? openssh-configuration-public-key-authentication?
(default #t))
- branch master updated (27cf238 -> d8ae785), guix-commits, 2020/12/07
- 02/06: profiles: Remove duplicates in manifest transactions., guix-commits, 2020/12/07
- 04/06: services: hurd-vm: Avoid circular dependency with (gnu system images hurd)., guix-commits, 2020/12/07
- 05/06: services: openssh: Warn about 'password-authentication?' default.,
guix-commits <=
- 01/06: doc: Fix incorrect GUIX_PROFILE value for 'guix pull'., guix-commits, 2020/12/07
- 03/06: profiles: Delete duplicate manifest entries in packages->manifest., guix-commits, 2020/12/07
- 06/06: tests: lint: Add origin patch file name test cases., guix-commits, 2020/12/07