services: openssh: Warn about 'password-authentication?' default.
Fixes <https://bugs.gnu.org/44808>. Reported by Christopher Lemmer Webber <cwebber@dustycloud.org>. * gnu/services/ssh.scm (true-but-soon-false): New procedure. (<openssh-configuration>)[password-authentication?]: Change default to 'true-but-soon-false'. * gnu/installer/services.scm (%system-services): Explicitly set 'password-authentication?' to #f.master
parent
859b362f81
commit
aecd2a13cb
|
@ -1,6 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com>
|
||||
;;; Copyright © 2019 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2020 Jan (janneke) Nieuwenhuizen <janneke@gnu.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
|
@ -93,7 +93,11 @@
|
|||
(system-service
|
||||
(name (G_ "OpenSSH secure shell daemon (sshd)"))
|
||||
(type 'networking)
|
||||
(snippet '((service openssh-service-type))))
|
||||
(snippet '((service openssh-service-type
|
||||
(openssh-configuration
|
||||
;; Currently the default is #t but it's considered
|
||||
;; unsafe. Explicitly pass #f.
|
||||
(password-authentication? #f))))))
|
||||
(system-service
|
||||
(name (G_ "Tor anonymous network router"))
|
||||
(type 'networking)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019, 2020 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2016 David Craven <david@craven.ch>
|
||||
;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
|
||||
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
|
||||
|
@ -33,6 +33,9 @@
|
|||
#:use-module (guix gexp)
|
||||
#:use-module (guix records)
|
||||
#:use-module (guix modules)
|
||||
#:use-module ((guix i18n) #:select (G_))
|
||||
#:use-module ((guix diagnostics) #:select (warning source-properties->location))
|
||||
#:use-module ((guix memoization) #:select (mlambda))
|
||||
#:use-module (srfi srfi-1)
|
||||
#:use-module (srfi srfi-26)
|
||||
#:use-module (ice-9 match)
|
||||
|
@ -276,6 +279,16 @@ The other options should be self-descriptive."
|
|||
;;; OpenSSH.
|
||||
;;;
|
||||
|
||||
(define true-but-soon-false
|
||||
(mlambda (loc)
|
||||
;; The plan is to change the default 'password-authentication?' to #f in
|
||||
;; Guix 1.3.0 or so. See <https://issues.guix.gnu.org/44808>.
|
||||
(warning (source-properties->location loc)
|
||||
(G_ "The default value of the 'password-authentication?'
|
||||
field of 'openssh-configuration' will change from #true to #false in the
|
||||
future. Explicitly set it to #true to allow password authentication.~%"))
|
||||
#t))
|
||||
|
||||
(define-record-type* <openssh-configuration>
|
||||
openssh-configuration make-openssh-configuration
|
||||
openssh-configuration?
|
||||
|
@ -296,7 +309,8 @@ The other options should be self-descriptive."
|
|||
(default #f))
|
||||
;; Boolean
|
||||
(password-authentication? openssh-configuration-password-authentication?
|
||||
(default #t))
|
||||
(default (true-but-soon-false
|
||||
(current-source-location))))
|
||||
;; Boolean
|
||||
(public-key-authentication? openssh-configuration-public-key-authentication?
|
||||
(default #t))
|
||||
|
|
Reference in New Issue