Hi,
Using home-openssh-service-type on Ubuntu 22.10 (OpenSSH_9.3p1, OpenSSL
1.1.1t 7 Feb 2023) always creates an ~/.ssh/authorized_keys that breaks
key-based login. I cannot access the logs and don't know what the
problem might be.
When, after running `guix home reconfigure', you do something like:
--8<---cut here---start->8---
mv .ssh/authorized_keys .ssh/authorized_keys-
cat .ssh/authorized_keys- > .ssh/authorized_keys
chmod 400 .ssh/authorized_keys
--8<---cut here---end--->8---
key-based login succeeds.
A workaround would be to have home-openssh-service-type leave
~/.ssh/authorized_keys alone. However, when using
--8<---cut here---start->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys '(
--8<---cut here---end--->8---
any existing ~/.ssh/authorized_keys file is removed and replaced by a
symlink to an empty file. I don't see how that is useful, it certainly
breaks key-based login.
Using
--8<---cut here---start->8---
(service
home-openssh-service-type
(home-openssh-configuration
(authorized-keys #f)))
--8<---cut here---end--->8---
yields a backtrace.
The attached patch fixes that and allows using (authorized-keys #f),
also making this the default.
WDYT?
Greetings,
Janneke
>From 1ca23618085ae0f5cbc4e989c591b2ee1cdede52 Mon Sep 17 00:00:00 2001
From: Janneke Nieuwenhuizen
Date: Wed, 19 Apr 2023 16:42:50 +0200
Subject: [PATCH] home: services: ssh: Support leaving ~/.ssh/authorized_keys
alone.
The default was to remove any ~/.ssh/authorized_keys file and replace it with
a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix
home generated ~/.ssh/authorized_keys file does not allow login.
* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm ()
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
---
doc/guix.texi | 8 +---
gnu/home/services/ssh.scm | 22 --
2 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..3736d24ff1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42565,9 +42565,11 @@ stateless: it can be replicated elsewhere or at another point in time.
Preparing this list can be relatively tedious though, which is why
@code{*unspecified*} is kept as a default.
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
Concretely, these files are concatenated and made available as
@file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..317808f616 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -186,7 +186,7 @@ (define-record-type*
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
(authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
- (default '()))
+ (default #f))
(known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
(default *unspecified*))
(hosts home-openssh-configuration-hosts ;list of
@@ -222,19 +222,21 @@ (define* (file-join name files #:optional (delimiter " "))
'#$files)))
(define (openssh-configuration-files config)
- (let ((config (plain-file "ssh.conf"
-(openssh-configuration->string config)))
-(known-hosts (home-openssh-configuration-known-hosts config))
-(authorized-keys (file-join
- "authorized_keys"
- (home-openssh-configuration-authorized-keys config)
- "\n")))
-`((".ssh/authorized_keys" ,authorized-keys)
+ (let* ((ssh-config (plain-file "ssh.conf"
+ (openssh-configuration->string config)))
+ (known-hosts (home-openssh-configuration-known-hosts config))
+ (authorized-keys (home-openssh-configuration-authorized-keys config))
+ (authorized-keys (and
+ authorized-keys
+ (file-join "authorized_keys" authorized-keys "\n"
+`(,@(if
