[PATCH 0/2] Openssh service patches

[Clément Lassieur]

The first patch adds PAM to OpenSSH service, and enables it by default.

This allows to log in (with a public key) if the account is locked.
Otherwise, one would have to set up a password manually or, say, put '*' in
/etc/shadow (with 'usermod -p').  It matters because accounts created by
GuixSD are locked.

Whether to enable it by default is debatable because it is disabled upstream,
but it is enabled on every distribution I had a look at.

The relevant part of the documentation is:

--8<---------------cut here---------------start------------->8---
UsePAM  Enables the Pluggable Authentication Module interface.  If set to
        yes this will enable PAM authentication using
        ChallengeResponseAuthentication and PasswordAuthentication in
        addition to PAM account and session module processing for all
        authentication types.

        Because PAM challenge-response authentication usually serves an
        equivalent role to password authentication, you should disable
        either PasswordAuthentication or ChallengeResponseAuthentication.

        If UsePAM is enabled, you will not be able to run sshd(8) as a
        non-root user.  The default is no.
--8<---------------cut here---------------end--------------->8---

It also explains why I set ChallengeResponseAuthentication to 'no' by default.

The second patch removes the 'RSAAuthentication' option, which causes warnings
because it is deprecated.

Clément Lassieur (2):
  services: openssh: Use PAM in sshd by default.
  services: openssh: remove deprecated 'RSAAuthentication' option.

 gnu/services/ssh.scm | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

-- 
2.11.1