GNU bug report logs - #49129
[PATCH] services: openssh: Replace 'without-password' by 'prohibit-password'.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 49129 in the body.
You can then email your comments to 49129 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: guix-patches <at> gnu.org
Subject: [PATCH] services: openssh: Replace 'without-password' by
 'prohibit-password'.
Date: Sun, 20 Jun 2021 12:13:01 +0200

For some time, OpenSSH's option 'PermitRootLogin' has deprecated the
ambiguous argument 'without-password' with 'prohibit-password'.

* doc/guix.texi (Network Services): Replace 'without-password' by
'prohibit-password'.
* gnu/machine/digital-ocean.scm (guix-infect): Change system
configuration to use 'prohibit-password'.
* gnu/services/ssh.scm (openssh-configuration): Change comment to use
'prohibit-password'.
(openssh-config-file): Add support for 'prohibit-password' to
'permit-root-login'.
* gnu/tests/ganeti.scm (%ganeti-os): Replace 'without-password' by
'prohibit-password'.
---
 doc/guix.texi                 | 6 +++---
 gnu/machine/digital-ocean.scm | 3 ++-
 gnu/services/ssh.scm          | 6 ++++--
 gnu/tests/ganeti.scm          | 3 ++-
 4 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index efeb176e3d..66c6adc4f5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17070,7 +17070,7 @@ shell daemon, @command{sshd}.  Its value must be an
 (service openssh-service-type
          (openssh-configuration
            (x11-forwarding? #t)
-           (permit-root-login 'without-password)
+           (permit-root-login 'prohibit-password)
            (authorized-keys
              `(("alice" ,(local-file "alice.pub"))
                ("bob" ,(local-file "bob.pub"))))))
@@ -17104,7 +17104,7 @@ TCP port on which @command{sshd} listens for incoming connections.
 @item @code{permit-root-login} (default: @code{#f})
 This field determines whether and when to allow logins as root.  If
 @code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
-If it's the symbol @code{'without-password}, then root logins are
+If it's the symbol @code{'prohibit-password}, then root logins are
 permitted but not with password-based authentication.
 
 @item @code{allow-empty-passwords?} (default: @code{#f})
@@ -29333,7 +29333,7 @@ cluster node that supports multiple storage backends, and installs the
                  ;; Ganeti uses SSH to communicate between nodes.
                  (service openssh-service-type
                           (openssh-configuration
-                           (permit-root-login 'without-password)))
+                           (permit-root-login 'prohibit-password)))
 
                  (service ganeti-service-type
                           (ganeti-configuration
diff --git a/gnu/machine/digital-ocean.scm b/gnu/machine/digital-ocean.scm
index 82383a8c7c..d97c300d18 100644
--- a/gnu/machine/digital-ocean.scm
+++ b/gnu/machine/digital-ocean.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019 Jakob L. Kreuze <zerodaysfordays <at> sdf.org>
+;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -256,7 +257,7 @@ cat > /etc/bootstrap-config.scm << EOF
                  (service openssh-service-type
                           (openssh-configuration
                            (log-level 'debug)
-                           (permit-root-login 'without-password))))
+                           (permit-root-login 'prohibit-password))))
            %base-services)))
 EOF
 # guix pull
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 1891db0487..1017510dd5 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2019 Ricardo Wurmus <rekado <at> elephly.net>
 ;;; Copyright © 2020 pinoaffe <pinoaffe <at> airmail.cc>
 ;;; Copyright © 2020 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -288,7 +289,7 @@ The other options should be self-descriptive."
   ;; integer
   (port-number           openssh-configuration-port-number
                          (default 22))
-  ;; Boolean | 'without-password
+  ;; Boolean | 'prohibit-password
   (permit-root-login     openssh-configuration-permit-root-login
                          (default #f))
   ;; Boolean
@@ -441,7 +442,8 @@ of user-name/file-like tuples."
                    #$(match (openssh-configuration-permit-root-login config)
                        (#t "yes")
                        (#f "no")
-                       ('without-password "without-password")))
+                       ('without-password "prohibit-password") ; deprecated
+                       ('prohibit-password "prohibit-password")))
            (format port "PermitEmptyPasswords ~a\n"
                    #$(if (openssh-configuration-allow-empty-passwords? config)
                          "yes" "no"))
diff --git a/gnu/tests/ganeti.scm b/gnu/tests/ganeti.scm
index ff853a7149..19c26b86dd 100644
--- a/gnu/tests/ganeti.scm
+++ b/gnu/tests/ganeti.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2020 Marius Bakke <marius <at> gnu.org>.
+;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -65,7 +66,7 @@
 
                    (service openssh-service-type
                             (openssh-configuration
-                             (permit-root-login 'without-password)))
+                             (permit-root-login 'prohibit-password)))
 
                    (service ganeti-service-type
                             (ganeti-configuration
-- 
2.31.1

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Brice Waegeneire <brice <at> waegenei.re>
Cc: guix-patches <at> gnu.org, 49129 <at> debbugs.gnu.org
Subject: Re: [bug#49129] [PATCH] services: openssh: Replace
 'without-password' by 'prohibit-password'.
Date: Sun, 20 Jun 2021 12:28:53 +0200

[Message part 1 (text/plain, inline)]

Brice,

Brice Waegeneire 写道：
> For some time, OpenSSH's option 'PermitRootLogin' has deprecated 
> the
> ambiguous argument 'without-password' with 'prohibit-password'.

Some time indeed.  Thanks.

LGTM modulo:

> +                       ('without-password "prohibit-password") 
> ; deprecated

Users won't ever see this comment.  Using the symbol should print 
a warning, likely using warn-about-deprecation from (guix 
deprecation).

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Message #14 received at 49129 <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: 49129 <at> debbugs.gnu.org
Subject: [PATCH v2] services: openssh: Replace 'without-password' by
 'prohibit-password'.
Date: Sun, 20 Jun 2021 15:15:55 +0200

For some time, OpenSSH's option 'PermitRootLogin' has deprecated the
ambiguous argument 'without-password' with 'prohibit-password'.

* doc/guix.texi (Network Services): Replace 'without-password' by
'prohibit-password'.
* gnu/machine/digital-ocean.scm (guix-infect): Change system
configuration to use 'prohibit-password'.
* gnu/services/ssh.scm (openssh-configuration): Change comment to use
'prohibit-password'.
(openssh-config-file): Add support for 'prohibit-password' to
'permit-root-login'.
* gnu/tests/ganeti.scm (%ganeti-os): Replace 'without-password' by
'prohibit-password'.
---

I added a depreciation warning but without the fancy colors as I wasn't able
to use the common macros.

 doc/guix.texi                 |  6 +++---
 gnu/machine/digital-ocean.scm |  3 ++-
 gnu/services/ssh.scm          | 10 ++++++++--
 gnu/tests/ganeti.scm          |  3 ++-
 4 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index efeb176e3d..66c6adc4f5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -17070,7 +17070,7 @@ shell daemon, @command{sshd}.  Its value must be an
 (service openssh-service-type
          (openssh-configuration
            (x11-forwarding? #t)
-           (permit-root-login 'without-password)
+           (permit-root-login 'prohibit-password)
            (authorized-keys
              `(("alice" ,(local-file "alice.pub"))
                ("bob" ,(local-file "bob.pub"))))))
@@ -17104,7 +17104,7 @@ TCP port on which @command{sshd} listens for incoming connections.
 @item @code{permit-root-login} (default: @code{#f})
 This field determines whether and when to allow logins as root.  If
 @code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
-If it's the symbol @code{'without-password}, then root logins are
+If it's the symbol @code{'prohibit-password}, then root logins are
 permitted but not with password-based authentication.
 
 @item @code{allow-empty-passwords?} (default: @code{#f})
@@ -29333,7 +29333,7 @@ cluster node that supports multiple storage backends, and installs the
                  ;; Ganeti uses SSH to communicate between nodes.
                  (service openssh-service-type
                           (openssh-configuration
-                           (permit-root-login 'without-password)))
+                           (permit-root-login 'prohibit-password)))
 
                  (service ganeti-service-type
                           (ganeti-configuration
diff --git a/gnu/machine/digital-ocean.scm b/gnu/machine/digital-ocean.scm
index 82383a8c7c..d97c300d18 100644
--- a/gnu/machine/digital-ocean.scm
+++ b/gnu/machine/digital-ocean.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2019 Jakob L. Kreuze <zerodaysfordays <at> sdf.org>
+;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -256,7 +257,7 @@ cat > /etc/bootstrap-config.scm << EOF
                  (service openssh-service-type
                           (openssh-configuration
                            (log-level 'debug)
-                           (permit-root-login 'without-password))))
+                           (permit-root-login 'prohibit-password))))
            %base-services)))
 EOF
 # guix pull
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 1891db0487..be97c1322f 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -6,6 +6,7 @@
 ;;; Copyright © 2019 Ricardo Wurmus <rekado <at> elephly.net>
 ;;; Copyright © 2020 pinoaffe <pinoaffe <at> airmail.cc>
 ;;; Copyright © 2020 Oleg Pykhalov <go.wigust <at> gmail.com>
+;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -288,7 +289,7 @@ The other options should be self-descriptive."
   ;; integer
   (port-number           openssh-configuration-port-number
                          (default 22))
-  ;; Boolean | 'without-password
+  ;; Boolean | 'prohibit-password
   (permit-root-login     openssh-configuration-permit-root-login
                          (default #f))
   ;; Boolean
@@ -441,7 +442,12 @@ of user-name/file-like tuples."
                    #$(match (openssh-configuration-permit-root-login config)
                        (#t "yes")
                        (#f "no")
-                       ('without-password "without-password")))
+                       ('without-password
+                        (format (current-error-port) "warning: Option \
+'without-password for openssh-configuration-permit-root-login field is \
+deprecated.  Please use 'prohibit-password instead.\n")
+                        "prohibit-password")
+                       ('prohibit-password "prohibit-password")))
            (format port "PermitEmptyPasswords ~a\n"
                    #$(if (openssh-configuration-allow-empty-passwords? config)
                          "yes" "no"))
diff --git a/gnu/tests/ganeti.scm b/gnu/tests/ganeti.scm
index ff853a7149..19c26b86dd 100644
--- a/gnu/tests/ganeti.scm
+++ b/gnu/tests/ganeti.scm
@@ -1,5 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2020 Marius Bakke <marius <at> gnu.org>.
+;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -65,7 +66,7 @@
 
                    (service openssh-service-type
                             (openssh-configuration
-                             (permit-root-login 'without-password)))
+                             (permit-root-login 'prohibit-password)))
 
                    (service ganeti-service-type
                             (ganeti-configuration
-- 
2.31.1

Message #19 received at 49129-done <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Brice Waegeneire <brice <at> waegenei.re>
Cc: 49129-done <at> debbugs.gnu.org
Subject: Re: [bug#49129] [PATCH v2] services: openssh: Replace
 'without-password' by 'prohibit-password'.
Date: Sun, 20 Jun 2021 16:51:00 +0200

[Message part 1 (text/plain, inline)]

Brice Waegeneire 写道：
> I added a depreciation warning but without the fancy colors as I 
> wasn't able
> to use the common macros.

Thanks for trying!  Getting source-properties out of CONFIG is 
also beyond my ken.  Are there any?

Anyway, 'without-password is a unique string that occurs in the 
user's system.scm by definition, so they can just search for it.

I changed this to use warn-about-deprecation and pushed the result 
as ef3f38ea0027f48feb6a29df131ac58bfbb46b7d.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.