From aecd2a13cbd8301d0fdeafcacbf69e12cc3f6138 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ludovic=20Court=C3=A8s?= Date: Mon, 7 Dec 2020 12:34:26 +0100 Subject: [PATCH] services: openssh: Warn about 'password-authentication?' default. Fixes . Reported by Christopher Lemmer Webber . * gnu/services/ssh.scm (true-but-soon-false): New procedure. ()[password-authentication?]: Change default to 'true-but-soon-false'. * gnu/installer/services.scm (%system-services): Explicitly set 'password-authentication?' to #f. --- gnu/installer/services.scm | 8 ++++++-- gnu/services/ssh.scm | 18 ++++++++++++++++-- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/gnu/installer/services.scm b/gnu/installer/services.scm index ec5ea30594..14a3bb9be6 100644 --- a/gnu/installer/services.scm +++ b/gnu/installer/services.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2018 Mathieu Othacehe -;;; Copyright © 2019 Ludovic Courtès +;;; Copyright © 2019, 2020 Ludovic Courtès ;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen ;;; ;;; This file is part of GNU Guix. @@ -93,7 +93,11 @@ (define %system-services (system-service (name (G_ "OpenSSH secure shell daemon (sshd)")) (type 'networking) - (snippet '((service openssh-service-type)))) + (snippet '((service openssh-service-type + (openssh-configuration + ;; Currently the default is #t but it's considered + ;; unsafe. Explicitly pass #f. + (password-authentication? #f)))))) (system-service (name (G_ "Tor anonymous network router")) (type 'networking) diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 1891db0487..1e45495e1b 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès +;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès ;;; Copyright © 2016 David Craven ;;; Copyright © 2016 Julien Lepiller ;;; Copyright © 2017 Clément Lassieur @@ -33,6 +33,9 @@ (define-module (gnu services ssh) #:use-module (guix gexp) #:use-module (guix records) #:use-module (guix modules) + #:use-module ((guix i18n) #:select (G_)) + #:use-module ((guix diagnostics) #:select (warning source-properties->location)) + #:use-module ((guix memoization) #:select (mlambda)) #:use-module (srfi srfi-1) #:use-module (srfi srfi-26) #:use-module (ice-9 match) @@ -276,6 +279,16 @@ (define* (lsh-service #:key ;;; OpenSSH. ;;; +(define true-but-soon-false + (mlambda (loc) + ;; The plan is to change the default 'password-authentication?' to #f in + ;; Guix 1.3.0 or so. See . + (warning (source-properties->location loc) + (G_ "The default value of the 'password-authentication?' +field of 'openssh-configuration' will change from #true to #false in the +future. Explicitly set it to #true to allow password authentication.~%")) + #t)) + (define-record-type* openssh-configuration make-openssh-configuration openssh-configuration? @@ -296,7 +309,8 @@ (define-record-type* (default #f)) ;; Boolean (password-authentication? openssh-configuration-password-authentication? - (default #t)) + (default (true-but-soon-false + (current-source-location)))) ;; Boolean (public-key-authentication? openssh-configuration-public-key-authentication? (default #t))