GNU bug report logs - #62948
Using home-ssh-agent-configuration on Ubuntu breaks login

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Subject: bug#62948: closed (Re: bug#62948: Using home-ssh-agent-configuration
 on Ubuntu breaks login)
Date: Wed, 24 May 2023 10:02:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#62948: Using home-ssh-agent-configuration on Ubuntu breaks login

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 62948 <at> debbugs.gnu.org.

-- 
62948: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=62948
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: 62948-done <at> debbugs.gnu.org
Subject: Re: bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks
 login
Date: Wed, 24 May 2023 12:00:49 +0200

Janneke Nieuwenhuizen writes:

> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login.  I cannot access the logs and don't know what the
> problem might be.

Pushed to master as c57693846c7c6586c6cd1b4e4002fe399e3a2c42

-- 
Janneke Nieuwenhuizen <janneke <at> gnu.org>  | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

[Message part 3 (message/rfc822, inline)]

From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: Using home-ssh-agent-configuration on Ubuntu breaks login
Date: Wed, 19 Apr 2023 18:28:16 +0200

[Message part 4 (text/plain, inline)]

Hi,

Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
key-based login.  I cannot access the logs and don't know what the
problem might be.

When, after running `guix home reconfigure', you do something like:

--8<---------------cut here---------------start------------->8---
mv .ssh/authorized_keys .ssh/authorized_keys-
cat .ssh/authorized_keys- > .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
--8<---------------cut here---------------end--------------->8---
    
key-based login succeeds.

A workaround would be to have home-openssh-service-type leave
~/.ssh/authorized_keys alone.  However, when using

--8<---------------cut here---------------start------------->8---
(service
  home-openssh-service-type
  (home-openssh-configuration
   (authorized-keys '())))
--8<---------------cut here---------------end--------------->8---

any existing ~/.ssh/authorized_keys file is removed and replaced by a
symlink to an empty file.  I don't see how that is useful, it certainly
breaks key-based login.

Using

--8<---------------cut here---------------start------------->8---
(service
  home-openssh-service-type
  (home-openssh-configuration
   (authorized-keys #f)))
--8<---------------cut here---------------end--------------->8---

yields a backtrace.

The attached patch fixes that and allows using (authorized-keys #f),
also making this the default.

WDYT?

Greetings,
Janneke

[0001-home-services-ssh-Support-leaving-.ssh-authorized_ke.patch (text/x-patch, inline)]

From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001
From: Janneke Nieuwenhuizen <janneke <at> gnu.org>
Date: Wed, 19 Apr 2023 16:42:50 +0200
Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys
 alone.

The default was to remove any ~/.ssh/authorized_keys file and replace it with
a symlink to an empty file.  On some systems, notably Ubuntu 22.10, the guix
home generated ~/.ssh/authorized_keys file does not allow login.

* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
---
 doc/guix.texi             |  8 +++++---
 gnu/home/services/ssh.scm | 22 ++++++++++++----------
 2 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..3736d24ff1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time.
 Preparing this list can be relatively tedious though, which is why
 @code{*unspecified*} is kept as a default.
 
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone.  Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
 
 Concretely, these files are concatenated and made available as
 @file{~/.ssh/authorized_keys}.  If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..317808f616 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -186,7 +186,7 @@ (define-record-type* <home-openssh-configuration>
   home-openssh-configuration make-home-openssh-configuration
   home-openssh-configuration?
   (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
-                   (default '()))
+                   (default #f))
   (known-hosts     home-openssh-configuration-known-hosts ;unspec | list of file-like
                    (default *unspecified*))
   (hosts           home-openssh-configuration-hosts   ;list of <openssh-host>
@@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " "))
                                      '#$files)))))))
 
 (define (openssh-configuration-files config)
-  (let ((config (plain-file "ssh.conf"
-                            (openssh-configuration->string config)))
-        (known-hosts (home-openssh-configuration-known-hosts config))
-        (authorized-keys (file-join
-                          "authorized_keys"
-                          (home-openssh-configuration-authorized-keys config)
-                          "\n")))
-    `((".ssh/authorized_keys" ,authorized-keys)
+  (let* ((ssh-config (plain-file "ssh.conf"
+                                 (openssh-configuration->string config)))
+         (known-hosts (home-openssh-configuration-known-hosts config))
+         (authorized-keys (home-openssh-configuration-authorized-keys config))
+         (authorized-keys (and
+                           authorized-keys
+                           (file-join "authorized_keys" authorized-keys "\n"))))
+    `(,@(if authorized-keys
+            `((".ssh/authorized_keys" ,authorized-keys))
+            '())
       ,@(if (unspecified? known-hosts)
             '()
             `((".ssh/known_hosts"
                ,(file-join "known_hosts" known-hosts "\n"))))
-      (".ssh/config" ,config))))
+      (".ssh/config" ,ssh-config))))
 
 (define openssh-activation
   (with-imported-modules (source-module-closure
-- 
2.39.2

[Message part 6 (text/plain, inline)]

-- 
Janneke Nieuwenhuizen <janneke <at> gnu.org>  | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | Avatar® https://AvatarAcademy.com

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.