Re: [PATCH 1/4] services: openssh: Enable PAM.

2017-02-22 Thread Clément Lassieur 
Clément Lassieur  writes:

> * gnu/services/ssh.scm: (%openssh-pam-services): New variable.
>   (openssh-service-type): Use it to extend PAM-ROOT-SERVICE-TYPE.
>   ()[challenge-response-authentication?]: New field.
>   ()[use-pam?]: New field.
>   (openssh-config-file): Add them.
> * doc/guix.texi (Networking Services): Document them.

'make check-system TESTS="openssh"' fails because of this patch.  Access
denied.  I'll have a look at it.

[PATCH 1/4] services: openssh: Enable PAM.

2017-02-20 Thread Clément Lassieur 
* gnu/services/ssh.scm: (%openssh-pam-services): New variable.
  (openssh-service-type): Use it to extend PAM-ROOT-SERVICE-TYPE.
  ()[challenge-response-authentication?]: New field.
  ()[use-pam?]: New field.
  (openssh-config-file): Add them.
* doc/guix.texi (Networking Services): Document them.
---
 doc/guix.texi| 16 
 gnu/services/ssh.scm | 17 -
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 6cdb5e592..22eef3a64 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -9163,6 +9163,22 @@ enabled---in other words, @command{ssh} options 
@option{-X} and
 
 @item @code{protocol-number} (default: @code{2})
 The SSH protocol number to use.
+
+@item @code{challenge-response-authentication?} (default: @code{#f})
+Specifies whether challenge response authentication is allowed (e.g. via
+PAM).
+
+@item @code{use-pam?} (default: @code{#t})
+Enables the Pluggable Authentication Module interface.  If set to
+@code{#t}, this will enable PAM authentication using
+@code{challenge-response-authentication?} and
+@code{password-authentication?}, in addition to PAM account and session
+module processing for all authentication types.
+
+Because PAM challenge response authentication usually serves an
+equivalent role to password authentication, you should disable either
+@code{challenge-response-authentication?} or
+@code{password-authentication?}.
 @end table
 @end deftp
 
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 58c35c9f5..78641f526 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -278,7 +278,11 @@ The other options should be self-descriptive."
   (x11-forwarding?   openssh-configuration-x11-forwarding? ;Boolean
  (default #f))
   (protocol-number   openssh-configuration-protocol-number ;integer
- (default 2)))
+ (default 2))
+  (challenge-response-authentication? 
openssh-challenge-response-authentication?
+  (default #f)) ;Boolean
+  (use-pam?  openssh-configuration-use-pam?
+ (default #t))) ;Boolean
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -334,6 +338,12 @@ The other options should be self-descriptive."
"yes" "no"))
  (format port "PidFile ~a\n"
  #$(openssh-configuration-pid-file config))
+ (format port "ChallengeResponseAuthentication ~a\n"
+ #$(if (openssh-challenge-response-authentication? config)
+   "yes" "no"))
+ (format port "UsePAM ~a\n"
+ #$(if (openssh-configuration-use-pam? config)
+   "yes" "no"))
  #t
 
 (define (openssh-shepherd-service config)
@@ -354,11 +364,16 @@ The other options should be self-descriptive."
  #:pid-file #$pid-file))
  (stop #~(make-kill-destructor)
 
+(define %openssh-pam-services
+  (list (unix-pam-service "sshd")))
+
 (define openssh-service-type
   (service-type (name 'openssh)
 (extensions
  (list (service-extension shepherd-root-service-type
   openssh-shepherd-service)
+   (service-extension pam-root-service-type
+  (const %openssh-pam-services))
(service-extension activation-service-type
   openssh-activation)
(service-extension account-service-type
-- 
2.11.1