services: openssh-service-type: Expose 'openssh-configuration'.
* gnu/services/ssh.scm (<openssh-configuration>): Add default values. [pubkey-authentication?]: Rename to... [public-key-authentication?]: ... this. (openssh-service): Remove. * doc/guix.texi (Networking Services): Adjust accordingly.
This commit is contained in:
parent
92c03a8715
commit
d8f3128119
|
@ -8281,40 +8281,67 @@ root.
|
||||||
The other options should be self-descriptive.
|
The other options should be self-descriptive.
|
||||||
@end deffn
|
@end deffn
|
||||||
|
|
||||||
@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @
|
@deffn {Scheme Variable} openssh-service-type
|
||||||
[#:port-number 22] [#:permit-root-login 'without-password] @
|
This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
|
||||||
[#:allow-empty-passwords #f] [#:password-authentication? #t] @
|
shell daemon, @command{sshd}. Its value must be an
|
||||||
[#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
|
@code{openssh-configuration} record as in this example:
|
||||||
[#:x11-forwarding? #f] [#:protocol-number "2"]
|
|
||||||
Run the @command{sshd} program from @var{openssh} on port
|
|
||||||
@var{port-number}. @command{sshd} runs an SSH daemon and writes its PID
|
|
||||||
to @var{pid-file}. It understands SSH protocol
|
|
||||||
@var{protocol-number}. The @var{protocol-number} can be either 1 or 2.
|
|
||||||
|
|
||||||
@var{permit-root-login} takes one of @code{#t}, @code{'without-password}
|
@example
|
||||||
and @code{#f}. It is used to allow root login through SSH.
|
(service openssh-service-type
|
||||||
@code{'without-password} means that root login is allowed, but not with
|
(openssh-configuration
|
||||||
password-based authentication.
|
(x11-forwarding? #t)
|
||||||
|
(permit-root-login 'without-password)))
|
||||||
|
@end example
|
||||||
|
|
||||||
When @var{allow-empty-passwords?} is true, users with empty passwords
|
See below for details about @code{openssh-configuration}.
|
||||||
may log in. When false, they may not.
|
|
||||||
|
|
||||||
When @var{password-authentication?} is true, users may log in with their
|
|
||||||
password. When false, they have to use other means of authentication.
|
|
||||||
|
|
||||||
When @var{pubkey-authentication?} is true, users may log in using public
|
|
||||||
key authentication. When false, users have to use other means of
|
|
||||||
authentication. Authorized public keys are stored in
|
|
||||||
@file{~/.ssh/authorized_keys}. This is used only by protocol version 2.
|
|
||||||
|
|
||||||
When @var{rsa-authentication?} is true, users may log in using pure RSA
|
|
||||||
authentication. When false, users have to use other means of
|
|
||||||
authentication. This is used only by protocol 1.
|
|
||||||
|
|
||||||
When @var{x11-forwarding?} is true, @command{ssh} options @option{-X}
|
|
||||||
and @option{-Y} will work.
|
|
||||||
@end deffn
|
@end deffn
|
||||||
|
|
||||||
|
@deftp {Data Type} openssh-configuration
|
||||||
|
This is the configuration record for OpenSSH's @command{sshd}.
|
||||||
|
|
||||||
|
@table @asis
|
||||||
|
@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
|
||||||
|
Name of the file where @command{sshd} writes its PID.
|
||||||
|
|
||||||
|
@item @code{port-number} (default: @code{22})
|
||||||
|
TCP port on which @command{sshd} listens for incoming connections.
|
||||||
|
|
||||||
|
@item @code{permit-root-login} (default: @code{#f})
|
||||||
|
This field determines whether and when to allow logins as root. If
|
||||||
|
@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
|
||||||
|
If it's the symbol @code{'without-password}, then root logins are
|
||||||
|
permitted but not with password-based authentication.
|
||||||
|
|
||||||
|
@item @code{allow-empty-passwords?} (default: @code{#f})
|
||||||
|
When true, users with empty passwords may log in. When false, they may
|
||||||
|
not.
|
||||||
|
|
||||||
|
@item @code{password-authentication?} (default: @code{#t})
|
||||||
|
When true, users may log in with their password. When false, they have
|
||||||
|
other authentication methods.
|
||||||
|
|
||||||
|
@item @code{public-key-authentication?} (default: @code{#t})
|
||||||
|
When true, users may log in using public key authentication. When
|
||||||
|
false, users have to use other authentication method.
|
||||||
|
|
||||||
|
Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
|
||||||
|
This is used only by protocol version 2.
|
||||||
|
|
||||||
|
@item @code{rsa-authentication?} (default: @code{#t})
|
||||||
|
When true, users may log in using pure RSA authentication. When false,
|
||||||
|
users have to use other means of authentication. This is used only by
|
||||||
|
protocol 1.
|
||||||
|
|
||||||
|
@item @code{x11-forwarding?} (default: @code{#f})
|
||||||
|
When true, forwarding of X11 graphical client connections is
|
||||||
|
enabled---in other words, @command{ssh} options @option{-X} and
|
||||||
|
@option{-Y} will work.
|
||||||
|
|
||||||
|
@item @code{protocol-number} (default: @code{2})
|
||||||
|
The SSH protocol number to use.
|
||||||
|
@end table
|
||||||
|
@end deftp
|
||||||
|
|
||||||
@deffn {Scheme Procedure} dropbear-service [@var{config}]
|
@deffn {Scheme Procedure} dropbear-service [@var{config}]
|
||||||
Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
|
Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
|
||||||
daemon} with the given @var{config}, a @code{<dropbear-configuration>}
|
daemon} with the given @var{config}, a @code{<dropbear-configuration>}
|
||||||
|
|
|
@ -50,7 +50,6 @@
|
||||||
;;;
|
;;;
|
||||||
;;; Code:
|
;;; Code:
|
||||||
|
|
||||||
;; TODO: Export.
|
|
||||||
(define-record-type* <lsh-configuration>
|
(define-record-type* <lsh-configuration>
|
||||||
lsh-configuration make-lsh-configuration
|
lsh-configuration make-lsh-configuration
|
||||||
lsh-configuration?
|
lsh-configuration?
|
||||||
|
@ -261,15 +260,24 @@ The other options should be self-descriptive."
|
||||||
(define-record-type* <openssh-configuration>
|
(define-record-type* <openssh-configuration>
|
||||||
openssh-configuration make-openssh-configuration
|
openssh-configuration make-openssh-configuration
|
||||||
openssh-configuration?
|
openssh-configuration?
|
||||||
(pid-file openssh-configuration-pid-file) ;string
|
(pid-file openssh-configuration-pid-file
|
||||||
(port-number openssh-configuration-port-number) ;integer
|
(default "/var/run/sshd.pid"))
|
||||||
(permit-root-login openssh-configuration-permit-root-login) ;Boolean | 'without-password
|
(port-number openssh-configuration-port-number ;integer
|
||||||
(allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean
|
(default 22))
|
||||||
(password-authentication? openssh-configuration-password-authentication?) ;Boolean
|
(permit-root-login openssh-configuration-permit-root-login ;Boolean | 'without-password
|
||||||
(pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean
|
(default #f))
|
||||||
(rsa-authentication? openssh-configuration-rsa-authentication?) ;Boolean
|
(allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
|
||||||
(x11-forwarding? openssh-configuration-x11-forwarding?) ;Boolean
|
(default #f))
|
||||||
(protocol-number openssh-configuration-protocol-number)) ;integer
|
(password-authentication? openssh-configuration-password-authentication? ;Boolean
|
||||||
|
(default #t))
|
||||||
|
(public-key-authentication? openssh-configuration-public-key-authentication?
|
||||||
|
(default #t)) ;Boolean
|
||||||
|
(rsa-authentication? openssh-configuration-rsa-authentication? ;Boolean
|
||||||
|
(default #t))
|
||||||
|
(x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean
|
||||||
|
(default #f))
|
||||||
|
(protocol-number openssh-configuration-protocol-number ;integer
|
||||||
|
(default 2)))
|
||||||
|
|
||||||
(define %openssh-accounts
|
(define %openssh-accounts
|
||||||
(list (user-group (name "sshd") (system? #t))
|
(list (user-group (name "sshd") (system? #t))
|
||||||
|
@ -314,7 +322,7 @@ The other options should be self-descriptive."
|
||||||
#$(if (openssh-configuration-password-authentication? config)
|
#$(if (openssh-configuration-password-authentication? config)
|
||||||
"yes" "no"))
|
"yes" "no"))
|
||||||
(format port "PubkeyAuthentication ~a\n"
|
(format port "PubkeyAuthentication ~a\n"
|
||||||
#$(if (openssh-configuration-pubkey-authentication? config)
|
#$(if (openssh-configuration-public-key-authentication? config)
|
||||||
"yes" "no"))
|
"yes" "no"))
|
||||||
(format port "RSAAuthentication ~a\n"
|
(format port "RSAAuthentication ~a\n"
|
||||||
#$(if (openssh-configuration-rsa-authentication? config)
|
#$(if (openssh-configuration-rsa-authentication? config)
|
||||||
|
@ -354,27 +362,6 @@ The other options should be self-descriptive."
|
||||||
(service-extension account-service-type
|
(service-extension account-service-type
|
||||||
(const %openssh-accounts))))))
|
(const %openssh-accounts))))))
|
||||||
|
|
||||||
(define* (openssh-service #:key
|
|
||||||
(pid-file "/var/run/sshd.pid")
|
|
||||||
(port-number 22)
|
|
||||||
(permit-root-login 'without-password)
|
|
||||||
(allow-empty-passwords? #f)
|
|
||||||
(password-authentication? #t)
|
|
||||||
(pubkey-authentication? #t)
|
|
||||||
(rsa-authentication? #t)
|
|
||||||
(x11-forwarding? #f)
|
|
||||||
(protocol-number 2))
|
|
||||||
(service openssh-service-type (openssh-configuration
|
|
||||||
(pid-file pid-file)
|
|
||||||
(port-number port-number)
|
|
||||||
(permit-root-login permit-root-login)
|
|
||||||
(allow-empty-passwords? allow-empty-passwords?)
|
|
||||||
(password-authentication? password-authentication?)
|
|
||||||
(pubkey-authentication? pubkey-authentication?)
|
|
||||||
(rsa-authentication? rsa-authentication?)
|
|
||||||
(x11-forwarding? x11-forwarding?)
|
|
||||||
(protocol-number protocol-number))))
|
|
||||||
|
|
||||||
|
|
||||||
;;;
|
;;;
|
||||||
;;; Dropbear.
|
;;; Dropbear.
|
||||||
|
|
Loading…
Reference in New Issue