diff options
| author | Ludovic Courtès <ludo@gnu.org> | 2020-12-07 12:34:26 +0100 | 
|---|---|---|
| committer | Ludovic Courtès <ludo@gnu.org> | 2020-12-07 12:48:26 +0100 | 
| commit | aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138 (patch) | |
| tree | cc3a867cf3a9af91e15810fb3663f145acfed35f | |
| parent | 859b362f81598830d7ff276b96a8724aee3c4db7 (diff) | |
services: openssh: Warn about 'password-authentication?' default.
Fixes <https://bugs.gnu.org/44808>.
Reported by Christopher Lemmer Webber <cwebber@dustycloud.org>.
* gnu/services/ssh.scm (true-but-soon-false): New procedure.
(<openssh-configuration>)[password-authentication?]: Change default to
'true-but-soon-false'.
* gnu/installer/services.scm (%system-services): Explicitly set
'password-authentication?' to #f.
| -rw-r--r-- | gnu/installer/services.scm | 8 | ||||
| -rw-r--r-- | gnu/services/ssh.scm | 18 | 
2 files changed, 22 insertions, 4 deletions
| diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm index ec5ea30594..14a3bb9be6 100644 --- a/gnu/installer/services.scm +++ b/gnu/installer/services.scm @@ -1,6 +1,6 @@  ;;; GNU Guix --- Functional package management for GNU  ;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com> -;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>  ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>  ;;;  ;;; This file is part of GNU Guix. @@ -93,7 +93,11 @@       (system-service        (name (G_ "OpenSSH secure shell daemon (sshd)"))        (type 'networking) -      (snippet '((service openssh-service-type)))) +      (snippet '((service openssh-service-type +                          (openssh-configuration +                           ;; Currently the default is #t but it's considered +                           ;; unsafe.  Explicitly pass #f. +                           (password-authentication? #f))))))       (system-service        (name (G_ "Tor anonymous network router"))        (type 'networking) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 1891db0487..1e45495e1b 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -1,5 +1,5 @@  ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>  ;;; Copyright © 2016 David Craven <david@craven.ch>  ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>  ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> @@ -33,6 +33,9 @@    #:use-module (guix gexp)    #:use-module (guix records)    #:use-module (guix modules) +  #:use-module ((guix i18n) #:select (G_)) +  #:use-module ((guix diagnostics) #:select (warning source-properties->location)) +  #:use-module ((guix memoization) #:select (mlambda))    #:use-module (srfi srfi-1)    #:use-module (srfi srfi-26)    #:use-module (ice-9 match) @@ -276,6 +279,16 @@ The other options should be self-descriptive."  ;;; OpenSSH.  ;;; +(define true-but-soon-false +  (mlambda (loc) +    ;; The plan is to change the default 'password-authentication?' to #f in +    ;; Guix 1.3.0 or so.  See <https://issues.guix.gnu.org/44808>. +    (warning (source-properties->location loc) +             (G_ "The default value of the 'password-authentication?' +field of 'openssh-configuration' will change from #true to #false in the +future.  Explicitly set it to #true to allow password authentication.~%")) +    #t)) +  (define-record-type* <openssh-configuration>    openssh-configuration make-openssh-configuration    openssh-configuration? @@ -296,7 +309,8 @@ The other options should be self-descriptive."                            (default #f))    ;; Boolean    (password-authentication? openssh-configuration-password-authentication? -                            (default #t)) +                            (default (true-but-soon-false +                                      (current-source-location))))    ;; Boolean    (public-key-authentication? openssh-configuration-public-key-authentication?                                (default #t)) | 
