me
/
guix
Archived
1
0
Fork 0

services: hurd-vm: Disable password-based authentication for root.

With offloading to a childhurd is enabled, allowing password-less root
login in the childhurd to anyone amounts to providing write access to
the host’s store to anyone.  Thus, disable password-based root logins in
the childhurd.

* gnu/services/virtualization.scm (%hurd-vm-operating-system): Change
‘permit-root-login’ to 'prohibit-password.
* gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’
field for ‘hurd-vm-configuration’.
* doc/guix.texi (Virtualization Services): Remove mention of
password-less root login.
Ludovic Courtès 2023-09-21 18:01:17 +02:00
parent 100d71f8a1
commit c3a19cc2ac
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
3 changed files with 15 additions and 7 deletions

View File

@ -35722,11 +35722,6 @@ guix shell tigervnc-client -- vncviewer localhost:5900
The default configuration (see @code{hurd-vm-configuration} below)
spawns a secure shell (SSH) server in your GNU/Hurd system, which QEMU
(the virtual machine emulator) redirects to port 10222 on the host.
Thus, you can connect over SSH to the childhurd with:
@example
ssh root@@localhost -p 10022
@end example
The childhurd is volatile and stateless: it starts with a fresh root
file system every time you restart it. By default though, all the files

View File

@ -1080,7 +1080,7 @@ that will be listening to receive secret keys on port 1004, TCP."
(openssh-configuration
(openssh openssh-sans-x)
(use-pam? #f)
(permit-root-login #t)
(permit-root-login 'prohibit-password)
(allow-empty-passwords? #t)
(password-authentication? #t)))

View File

@ -31,6 +31,7 @@
#:use-module (gnu services)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services virtualization)
#:use-module (gnu packages ssh)
#:use-module (gnu packages virtualization)
@ -228,7 +229,19 @@
(define %childhurd-os
(simple-operating-system
(service dhcp-client-service-type)
(service hurd-vm-service-type)))
(service hurd-vm-service-type
(hurd-vm-configuration
;; Allow root login with an empty password to simplify the test
;; below.
(os (operating-system
(inherit %hurd-vm-operating-system)
(services
(modify-services (operating-system-user-services
%hurd-vm-operating-system)
(openssh-service-type
config => (openssh-configuration
(inherit config)
(permit-root-login #t)))))))))))
(define (run-childhurd-test)
(define os