1 files changed, 54 insertions, 27 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index b670823753..73570277f6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8281,39 +8281,66 @@ root.
 The other options should be self-descriptive.
 @end deffn
 
-@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @
-       [#:port-number 22] [#:permit-root-login 'without-password] @
-       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
-       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
-       [#:x11-forwarding? #f] [#:protocol-number "2"]
-Run the @command{sshd} program from @var{openssh} on port
-@var{port-number}.  @command{sshd} runs an SSH daemon and writes its PID
-to @var{pid-file}.  It understands SSH protocol
-@var{protocol-number}. The @var{protocol-number} can be either 1 or 2.
+@deffn {Scheme Variable} openssh-service-type
+This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
+shell daemon, @command{sshd}.  Its value must be an
+@code{openssh-configuration} record as in this example:
 
-@var{permit-root-login} takes one of @code{#t}, @code{'without-password}
-and @code{#f}.  It is used to allow root login through SSH.
-@code{'without-password} means that root login is allowed, but not with
-password-based authentication.
+@example
+(service openssh-service-type
+         (openssh-configuration
+           (x11-forwarding? #t)
+           (permit-root-login 'without-password)))
+@end example
+
+See below for details about @code{openssh-configuration}.
+@end deffn
 
-When @var{allow-empty-passwords?} is true, users with empty passwords
-may log in.  When false, they may not.
+@deftp {Data Type} openssh-configuration
+This is the configuration record for OpenSSH's @command{sshd}.
 
-When @var{password-authentication?} is true, users may log in with their
-password.  When false, they have to use other means of authentication.
+@table @asis
+@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
+Name of the file where @command{sshd} writes its PID.
 
-When @var{pubkey-authentication?} is true, users may log in using public
-key authentication.  When false, users have to use other means of
-authentication.  Authorized public keys are stored in
-@file{~/.ssh/authorized_keys}.  This is used only by protocol version 2.
+@item @code{port-number} (default: @code{22})
+TCP port on which @command{sshd} listens for incoming connections.
 
-When @var{rsa-authentication?} is true, users may log in using pure RSA
-authentication.  When false, users have to use other means of
-authentication.  This is used only by protocol 1.
+@item @code{permit-root-login} (default: @code{#f})
+This field determines whether and when to allow logins as root.  If
+@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
+If it's the symbol @code{'without-password}, then root logins are
+permitted but not with password-based authentication.
 
-When @var{x11-forwarding?} is true, @command{ssh} options @option{-X}
-and @option{-Y} will work.
-@end deffn
+@item @code{allow-empty-passwords?} (default: @code{#f})
+When true, users with empty passwords may log in.  When false, they may
+not.
+
+@item @code{password-authentication?} (default: @code{#t})
+When true, users may log in with their password.  When false, they have
+other authentication methods.
+
+@item @code{public-key-authentication?} (default: @code{#t})
+When true, users may log in using public key authentication.  When
+false, users have to use other authentication method.
+
+Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
+This is used only by protocol version 2.
+
+@item @code{rsa-authentication?} (default: @code{#t})
+When true, users may log in using pure RSA authentication.  When false,
+users have to use other means of authentication.  This is used only by
+protocol 1.
+
+@item @code{x11-forwarding?} (default: @code{#f})
+When true, forwarding of X11 graphical client connections is
+enabled---in other words, @command{ssh} options @option{-X} and
+@option{-Y} will work.
+
+@item @code{protocol-number} (default: @code{2})
+The SSH protocol number to use.
+@end table
+@end deftp
 
 @deffn {Scheme Procedure} dropbear-service [@var{config}]
 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH