diff --git a/doc/guix.texi b/doc/guix.texi index b670823753..73570277f6 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -8281,40 +8281,67 @@ root. The other options should be self-descriptive. @end deffn -@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @ - [#:port-number 22] [#:permit-root-login 'without-password] @ - [#:allow-empty-passwords #f] [#:password-authentication? #t] @ - [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @ - [#:x11-forwarding? #f] [#:protocol-number "2"] -Run the @command{sshd} program from @var{openssh} on port -@var{port-number}. @command{sshd} runs an SSH daemon and writes its PID -to @var{pid-file}. It understands SSH protocol -@var{protocol-number}. The @var{protocol-number} can be either 1 or 2. +@deffn {Scheme Variable} openssh-service-type +This is the type for the @uref{http://www.openssh.org, OpenSSH} secure +shell daemon, @command{sshd}. Its value must be an +@code{openssh-configuration} record as in this example: -@var{permit-root-login} takes one of @code{#t}, @code{'without-password} -and @code{#f}. It is used to allow root login through SSH. -@code{'without-password} means that root login is allowed, but not with -password-based authentication. +@example +(service openssh-service-type + (openssh-configuration + (x11-forwarding? #t) + (permit-root-login 'without-password))) +@end example -When @var{allow-empty-passwords?} is true, users with empty passwords -may log in. When false, they may not. - -When @var{password-authentication?} is true, users may log in with their -password. When false, they have to use other means of authentication. - -When @var{pubkey-authentication?} is true, users may log in using public -key authentication. When false, users have to use other means of -authentication. Authorized public keys are stored in -@file{~/.ssh/authorized_keys}. This is used only by protocol version 2. - -When @var{rsa-authentication?} is true, users may log in using pure RSA -authentication. When false, users have to use other means of -authentication. This is used only by protocol 1. - -When @var{x11-forwarding?} is true, @command{ssh} options @option{-X} -and @option{-Y} will work. +See below for details about @code{openssh-configuration}. @end deffn +@deftp {Data Type} openssh-configuration +This is the configuration record for OpenSSH's @command{sshd}. + +@table @asis +@item @code{pid-file} (default: @code{"/var/run/sshd.pid"}) +Name of the file where @command{sshd} writes its PID. + +@item @code{port-number} (default: @code{22}) +TCP port on which @command{sshd} listens for incoming connections. + +@item @code{permit-root-login} (default: @code{#f}) +This field determines whether and when to allow logins as root. If +@code{#f}, root logins are disallowed; if @code{#t}, they are allowed. +If it's the symbol @code{'without-password}, then root logins are +permitted but not with password-based authentication. + +@item @code{allow-empty-passwords?} (default: @code{#f}) +When true, users with empty passwords may log in. When false, they may +not. + +@item @code{password-authentication?} (default: @code{#t}) +When true, users may log in with their password. When false, they have +other authentication methods. + +@item @code{public-key-authentication?} (default: @code{#t}) +When true, users may log in using public key authentication. When +false, users have to use other authentication method. + +Authorized public keys are stored in @file{~/.ssh/authorized_keys}. +This is used only by protocol version 2. + +@item @code{rsa-authentication?} (default: @code{#t}) +When true, users may log in using pure RSA authentication. When false, +users have to use other means of authentication. This is used only by +protocol 1. + +@item @code{x11-forwarding?} (default: @code{#f}) +When true, forwarding of X11 graphical client connections is +enabled---in other words, @command{ssh} options @option{-X} and +@option{-Y} will work. + +@item @code{protocol-number} (default: @code{2}) +The SSH protocol number to use. +@end table +@end deftp + @deffn {Scheme Procedure} dropbear-service [@var{config}] Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH daemon} with the given @var{config}, a @code{} diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 084f8fa4ea..6da612da67 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -50,7 +50,6 @@ (define-module (gnu services ssh) ;;; ;;; Code: -;; TODO: Export. (define-record-type* lsh-configuration make-lsh-configuration lsh-configuration? @@ -261,15 +260,24 @@ (define* (lsh-service #:key (define-record-type* openssh-configuration make-openssh-configuration openssh-configuration? - (pid-file openssh-configuration-pid-file) ;string - (port-number openssh-configuration-port-number) ;integer - (permit-root-login openssh-configuration-permit-root-login) ;Boolean | 'without-password - (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean - (password-authentication? openssh-configuration-password-authentication?) ;Boolean - (pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean - (rsa-authentication? openssh-configuration-rsa-authentication?) ;Boolean - (x11-forwarding? openssh-configuration-x11-forwarding?) ;Boolean - (protocol-number openssh-configuration-protocol-number)) ;integer + (pid-file openssh-configuration-pid-file + (default "/var/run/sshd.pid")) + (port-number openssh-configuration-port-number ;integer + (default 22)) + (permit-root-login openssh-configuration-permit-root-login ;Boolean | 'without-password + (default #f)) + (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean + (default #f)) + (password-authentication? openssh-configuration-password-authentication? ;Boolean + (default #t)) + (public-key-authentication? openssh-configuration-public-key-authentication? + (default #t)) ;Boolean + (rsa-authentication? openssh-configuration-rsa-authentication? ;Boolean + (default #t)) + (x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean + (default #f)) + (protocol-number openssh-configuration-protocol-number ;integer + (default 2))) (define %openssh-accounts (list (user-group (name "sshd") (system? #t)) @@ -314,7 +322,7 @@ (define (openssh-config-file config) #$(if (openssh-configuration-password-authentication? config) "yes" "no")) (format port "PubkeyAuthentication ~a\n" - #$(if (openssh-configuration-pubkey-authentication? config) + #$(if (openssh-configuration-public-key-authentication? config) "yes" "no")) (format port "RSAAuthentication ~a\n" #$(if (openssh-configuration-rsa-authentication? config) @@ -354,27 +362,6 @@ (define openssh-service-type (service-extension account-service-type (const %openssh-accounts)))))) -(define* (openssh-service #:key - (pid-file "/var/run/sshd.pid") - (port-number 22) - (permit-root-login 'without-password) - (allow-empty-passwords? #f) - (password-authentication? #t) - (pubkey-authentication? #t) - (rsa-authentication? #t) - (x11-forwarding? #f) - (protocol-number 2)) - (service openssh-service-type (openssh-configuration - (pid-file pid-file) - (port-number port-number) - (permit-root-login permit-root-login) - (allow-empty-passwords? allow-empty-passwords?) - (password-authentication? password-authentication?) - (pubkey-authentication? pubkey-authentication?) - (rsa-authentication? rsa-authentication?) - (x11-forwarding? x11-forwarding?) - (protocol-number protocol-number)))) - ;;; ;;; Dropbear.