home: services: ssh: Do not empty ~/.ssh/authorized_keys by default.

The default was an empty list which would remove any ~/.ssh/authorized_keys file and replace it with a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix home generated ~/.ssh/authorized_keys file does not allow login. * doc/guix.texi (Secure Shell): Update, describe default #false value. * gnu/home/services/ssh.scm (<home-openssh-configuration>) [authorized-keys]: Change default to #f. (openssh-configuration-files): Cater for default #f value: Do not register "authorized_keys".
2023-04-19 18:28:16 +02:00 · 2023-04-19 18:28:16 +02:00 · c57693846c
parent 0d82148858
commit c57693846c
2 changed files with 17 additions and 13 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -42960,9 +42960,11 @@ stateless: it can be replicated elsewhere or at another point in time.
 Preparing this list can be relatively tedious though, which is why
@code{*unspecified*} is kept as a default.

-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone.  Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.

 Concretely, these files are concatenated and made available as
@file{~/.ssh/authorized_keys}.  If an OpenSSH server, @command{sshd}, is
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@ -249,7 +249,7 @@ through before connecting to the server.")
  home-openssh-configuration make-home-openssh-configuration
  home-openssh-configuration?
  (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
-                   (default '()))
+                   (default #f))
  (known-hosts     home-openssh-configuration-known-hosts ;unspec | list of file-like
                   (default *unspecified*))
  (hosts           home-openssh-configuration-hosts   ;list of <openssh-host>
@ -285,19 +285,21 @@ inserted after each of them."
                                     '#$files)))))))

 (define (openssh-configuration-files config)
-  (let ((config (plain-file "ssh.conf"
-                            (openssh-configuration->string config)))
-        (known-hosts (home-openssh-configuration-known-hosts config))
-        (authorized-keys (file-join
-                          "authorized_keys"
-                          (home-openssh-configuration-authorized-keys config)
-                          "\n")))
-    `((".ssh/authorized_keys" ,authorized-keys)
+  (let* ((ssh-config (plain-file "ssh.conf"
+                                 (openssh-configuration->string config)))
+         (known-hosts (home-openssh-configuration-known-hosts config))
+         (authorized-keys (home-openssh-configuration-authorized-keys config))
+         (authorized-keys (and
+                           authorized-keys
+                           (file-join "authorized_keys" authorized-keys "\n"))))
+    `(,@(if authorized-keys
+            `((".ssh/authorized_keys" ,authorized-keys))
+            '())
      ,@(if (unspecified? known-hosts)
            '()
            `((".ssh/known_hosts"
               ,(file-join "known_hosts" known-hosts "\n"))))
-      (".ssh/config" ,config))))
+      (".ssh/config" ,ssh-config))))

 (define openssh-activation
  (with-imported-modules (source-module-closure