--- Begin Message ---
Subject: |
Using home-ssh-agent-configuration on Ubuntu breaks login |
Date: |
Wed, 19 Apr 2023 18:28:16 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi,
Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
key-based login. I cannot access the logs and don't know what the
problem might be.
When, after running `guix home reconfigure', you do something like:
--8<---------------cut here---------------start------------->8---
mv .ssh/authorized_keys .ssh/authorized_keys-
cat .ssh/authorized_keys- > .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
--8<---------------cut here---------------end--------------->8---
key-based login succeeds.
A workaround would be to have home-openssh-service-type leave
~/.ssh/authorized_keys alone. However, when using
--8<---------------cut here---------------start------------->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys '())))
--8<---------------cut here---------------end--------------->8---
any existing ~/.ssh/authorized_keys file is removed and replaced by a
symlink to an empty file. I don't see how that is useful, it certainly
breaks key-based login.
Using
--8<---------------cut here---------------start------------->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys #f)))
--8<---------------cut here---------------end--------------->8---
yields a backtrace.
The attached patch fixes that and allows using (authorized-keys #f),
also making this the default.
WDYT?
Greetings,
Janneke
>From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001
From: Janneke Nieuwenhuizen <janneke@gnu.org>
Date: Wed, 19 Apr 2023 16:42:50 +0200
Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys
alone.
The default was to remove any ~/.ssh/authorized_keys file and replace it with
a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix
home generated ~/.ssh/authorized_keys file does not allow login.
* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
---
doc/guix.texi | 8 +++++---
gnu/home/services/ssh.scm | 22 ++++++++++++----------
2 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..3736d24ff1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at
another point in time.
Preparing this list can be relatively tedious though, which is why
@code{*unspecified*} is kept as a default.
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
Concretely, these files are concatenated and made available as
@file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..317808f616 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -186,7 +186,7 @@ (define-record-type* <home-openssh-configuration>
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
(authorized-keys home-openssh-configuration-authorized-keys ;list of
file-like
- (default '()))
+ (default #f))
(known-hosts home-openssh-configuration-known-hosts ;unspec | list of
file-like
(default *unspecified*))
(hosts home-openssh-configuration-hosts ;list of <openssh-host>
@@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " "))
'#$files)))))))
(define (openssh-configuration-files config)
- (let ((config (plain-file "ssh.conf"
- (openssh-configuration->string config)))
- (known-hosts (home-openssh-configuration-known-hosts config))
- (authorized-keys (file-join
- "authorized_keys"
- (home-openssh-configuration-authorized-keys config)
- "\n")))
- `((".ssh/authorized_keys" ,authorized-keys)
+ (let* ((ssh-config (plain-file "ssh.conf"
+ (openssh-configuration->string config)))
+ (known-hosts (home-openssh-configuration-known-hosts config))
+ (authorized-keys (home-openssh-configuration-authorized-keys config))
+ (authorized-keys (and
+ authorized-keys
+ (file-join "authorized_keys" authorized-keys
"\n"))))
+ `(,@(if authorized-keys
+ `((".ssh/authorized_keys" ,authorized-keys))
+ '())
,@(if (unspecified? known-hosts)
'()
`((".ssh/known_hosts"
,(file-join "known_hosts" known-hosts "\n"))))
- (".ssh/config" ,config))))
+ (".ssh/config" ,ssh-config))))
(define openssh-activation
(with-imported-modules (source-module-closure
--
2.39.2
--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | AvatarĀ® https://AvatarAcademy.com
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#62948: Using home-ssh-agent-configuration on Ubuntu breaks login |
Date: |
Wed, 24 May 2023 12:00:49 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Janneke Nieuwenhuizen writes:
> Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
> 1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
> key-based login. I cannot access the logs and don't know what the
> problem might be.
Pushed to master as c57693846c7c6586c6cd1b4e4002fe399e3a2c42
--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | AvatarĀ® https://AvatarAcademy.com
--- End Message ---