GNU bug report logs - #26696
openssh: root 'without-password & password-authentication #f both breaks service

Previous Next

To reply to this bug, email your comments to 26696 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Christopher Allan Webber <cwebber <at> dustycloud.org>
To: bug-guix <at> gnu.org
Subject: openssh: root 'without-password & password-authentication #f both
 breaks service
Date: Fri, 28 Apr 2017 09:52:12 -0500

I wanted to permit root logins but only permit public key authentication
in my openssh configuration.  This was my original assumption of how to
do it:

  (service openssh-service-type
          (openssh-configuration
           (permit-root-login 'without-password)
           (password-authentication? #f)))

However, for whatever reason, openssh fails to start with this
combination.  However, it turns out this is redundant, since the
configuration is already only permitting with public key authentication.

  (service openssh-service-type
          (openssh-configuration
           (permit-root-login #t)
           (password-authentication? #f)))

This route is sufficient.

However maybe we should prevent people from accidentally causing openssh
to not start.  Here's a suggested route... though I haven't tested it:

#+BEGIN_SRC diff
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9917c311c..f1f2ab3dc 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -342,7 +342,13 @@ The other options should be self-descriptive."
                    #$(match (openssh-configuration-permit-root-login config)
                        (#t "yes")
                        (#f "no")
-                       ('without-password "without-password")))
+                       ('without-password
+                        ;; If we've already disabled password-authentication, this
+                        ;; is redundant, and even stops the openssh server from
+                        ;; starting up
+                        (if (openssh-configuration-password-authentication? config)
+                            "without-password"
+                            "yes"))))
            (format port "PermitEmptyPasswords ~a\n"
                    #$(if (openssh-configuration-allow-empty-passwords? config)
                          "yes" "no"))
#+END_SRC

Message #8 received at 26696 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Christopher Allan Webber <cwebber <at> dustycloud.org>
Cc: 26696 <at> debbugs.gnu.org
Subject: Re: bug#26696: openssh: root 'without-password &
 password-authentication #f both breaks service
Date: Fri, 28 Apr 2017 15:29:44 -0400

[Message part 1 (text/plain, inline)]

On Fri, Apr 28, 2017 at 09:52:12AM -0500, Christopher Allan Webber wrote:
> I wanted to permit root logins but only permit public key authentication
> in my openssh configuration.  This was my original assumption of how to
> do it:
> 
>   (service openssh-service-type
>           (openssh-configuration
>            (permit-root-login 'without-password)
>            (password-authentication? #f)))
> 
> However, for whatever reason, openssh fails to start with this
> combination.  However, it turns out this is redundant, since the
> configuration is already only permitting with public key authentication.

Do you still have the generated sshd_config files handy, so we can
compare them and figure out what's broken?

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 26696 <at> debbugs.gnu.org (full text, mbox):

From: Chris Marusich <cmmarusich <at> gmail.com>
To: Christopher Allan Webber <cwebber <at> dustycloud.org>
Cc: 26696 <at> debbugs.gnu.org
Subject: Re: bug#26696: openssh: root 'without-password &
 password-authentication #f both breaks service
Date: Sun, 30 Apr 2017 12:53:02 -0700

[Message part 1 (text/plain, inline)]

Christopher Allan Webber <cwebber <at> dustycloud.org> writes:

> --- a/gnu/services/ssh.scm
> +++ b/gnu/services/ssh.scm
> @@ -342,7 +342,13 @@ The other options should be self-descriptive."
>                     #$(match (openssh-configuration-permit-root-login config)
>                         (#t "yes")
>                         (#f "no")
> -                       ('without-password "without-password")))
> +                       ('without-password
> +                        ;; If we've already disabled password-authentication, this
> +                        ;; is redundant, and even stops the openssh server from
> +                        ;; starting up
> +                        (if (openssh-configuration-password-authentication? config)
> +                            "without-password"
> +                            "yes"))))
>             (format port "PermitEmptyPasswords ~a\n"
>                     #$(if (openssh-configuration-allow-empty-passwords? config)
>                           "yes" "no"))
> #+END_SRC
>

Would it be better to fail with an error here?  I'd be a little confused
and disturbed if I specified 'without-password expecting to get
"without-password" for the value of PermitRootLogin, but later found
that the OpenSSH daemon's config file contained the un-requested value
"yes", even if the end result happens to have the desired effect.

However, if this special case is clearly documented in the Guix manual,
then I'd be less off-put by it.

-- 
Chris

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.