Hello, Sébastien Gendre <[email protected]> writes:
> Hello, > > I tried to use Guix Home to configure my home environment. It work very > well, but I have a problem with the generated SSH client config. > > It is stored in /gnu/store, on its own derivation and linked into my > home dir. As planned. But it's access right is read to every users on my > system. > > That mean any other user of my server could known to which server I have > access. Same with the authorized-keys file. > > I configured the SSH client with the home-openssh-service-type, like > described in this manual page: > https://guix.gnu.org/manual/devel/en/html_node/Secure-Shell.html > > Is there a way to make this file only readable by my user ? No, all files in the store are readable by any user, by design. If your threat model includes needing to keep content of ~/.ssh/config and ~/.ssh/authorized_keys private (mine does not), then you cannot use pure Guix for the configuration. > Does it the same with configs files generated by Guix System ? Yes. Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
