services: openssh-service-type: Expose 'openssh-configuration'.

* gnu/services/ssh.scm (<openssh-configuration>): Add default values.
[pubkey-authentication?]: Rename to...
[public-key-authentication?]: ... this.
(openssh-service): Remove.
* doc/guix.texi (Networking Services): Adjust accordingly.
This commit is contained in:
Ludovic Courtès 2016-10-02 23:18:08 +02:00
parent 92c03a8715
commit d8f3128119
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
2 changed files with 76 additions and 62 deletions

View File

@ -8281,40 +8281,67 @@ root.
The other options should be self-descriptive.
@end deffn
@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @
[#:port-number 22] [#:permit-root-login 'without-password] @
[#:allow-empty-passwords #f] [#:password-authentication? #t] @
[#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
[#:x11-forwarding? #f] [#:protocol-number "2"]
Run the @command{sshd} program from @var{openssh} on port
@var{port-number}. @command{sshd} runs an SSH daemon and writes its PID
to @var{pid-file}. It understands SSH protocol
@var{protocol-number}. The @var{protocol-number} can be either 1 or 2.
@deffn {Scheme Variable} openssh-service-type
This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
shell daemon, @command{sshd}. Its value must be an
@code{openssh-configuration} record as in this example:
@var{permit-root-login} takes one of @code{#t}, @code{'without-password}
and @code{#f}. It is used to allow root login through SSH.
@code{'without-password} means that root login is allowed, but not with
password-based authentication.
@example
(service openssh-service-type
(openssh-configuration
(x11-forwarding? #t)
(permit-root-login 'without-password)))
@end example
When @var{allow-empty-passwords?} is true, users with empty passwords
may log in. When false, they may not.
When @var{password-authentication?} is true, users may log in with their
password. When false, they have to use other means of authentication.
When @var{pubkey-authentication?} is true, users may log in using public
key authentication. When false, users have to use other means of
authentication. Authorized public keys are stored in
@file{~/.ssh/authorized_keys}. This is used only by protocol version 2.
When @var{rsa-authentication?} is true, users may log in using pure RSA
authentication. When false, users have to use other means of
authentication. This is used only by protocol 1.
When @var{x11-forwarding?} is true, @command{ssh} options @option{-X}
and @option{-Y} will work.
See below for details about @code{openssh-configuration}.
@end deffn
@deftp {Data Type} openssh-configuration
This is the configuration record for OpenSSH's @command{sshd}.
@table @asis
@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
Name of the file where @command{sshd} writes its PID.
@item @code{port-number} (default: @code{22})
TCP port on which @command{sshd} listens for incoming connections.
@item @code{permit-root-login} (default: @code{#f})
This field determines whether and when to allow logins as root. If
@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
If it's the symbol @code{'without-password}, then root logins are
permitted but not with password-based authentication.
@item @code{allow-empty-passwords?} (default: @code{#f})
When true, users with empty passwords may log in. When false, they may
not.
@item @code{password-authentication?} (default: @code{#t})
When true, users may log in with their password. When false, they have
other authentication methods.
@item @code{public-key-authentication?} (default: @code{#t})
When true, users may log in using public key authentication. When
false, users have to use other authentication method.
Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
This is used only by protocol version 2.
@item @code{rsa-authentication?} (default: @code{#t})
When true, users may log in using pure RSA authentication. When false,
users have to use other means of authentication. This is used only by
protocol 1.
@item @code{x11-forwarding?} (default: @code{#f})
When true, forwarding of X11 graphical client connections is
enabled---in other words, @command{ssh} options @option{-X} and
@option{-Y} will work.
@item @code{protocol-number} (default: @code{2})
The SSH protocol number to use.
@end table
@end deftp
@deffn {Scheme Procedure} dropbear-service [@var{config}]
Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
daemon} with the given @var{config}, a @code{<dropbear-configuration>}

View File

@ -50,7 +50,6 @@
;;;
;;; Code:
;; TODO: Export.
(define-record-type* <lsh-configuration>
lsh-configuration make-lsh-configuration
lsh-configuration?
@ -261,15 +260,24 @@ The other options should be self-descriptive."
(define-record-type* <openssh-configuration>
openssh-configuration make-openssh-configuration
openssh-configuration?
(pid-file openssh-configuration-pid-file) ;string
(port-number openssh-configuration-port-number) ;integer
(permit-root-login openssh-configuration-permit-root-login) ;Boolean | 'without-password
(allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean
(password-authentication? openssh-configuration-password-authentication?) ;Boolean
(pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean
(rsa-authentication? openssh-configuration-rsa-authentication?) ;Boolean
(x11-forwarding? openssh-configuration-x11-forwarding?) ;Boolean
(protocol-number openssh-configuration-protocol-number)) ;integer
(pid-file openssh-configuration-pid-file
(default "/var/run/sshd.pid"))
(port-number openssh-configuration-port-number ;integer
(default 22))
(permit-root-login openssh-configuration-permit-root-login ;Boolean | 'without-password
(default #f))
(allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
(default #f))
(password-authentication? openssh-configuration-password-authentication? ;Boolean
(default #t))
(public-key-authentication? openssh-configuration-public-key-authentication?
(default #t)) ;Boolean
(rsa-authentication? openssh-configuration-rsa-authentication? ;Boolean
(default #t))
(x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean
(default #f))
(protocol-number openssh-configuration-protocol-number ;integer
(default 2)))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
@ -314,7 +322,7 @@ The other options should be self-descriptive."
#$(if (openssh-configuration-password-authentication? config)
"yes" "no"))
(format port "PubkeyAuthentication ~a\n"
#$(if (openssh-configuration-pubkey-authentication? config)
#$(if (openssh-configuration-public-key-authentication? config)
"yes" "no"))
(format port "RSAAuthentication ~a\n"
#$(if (openssh-configuration-rsa-authentication? config)
@ -354,27 +362,6 @@ The other options should be self-descriptive."
(service-extension account-service-type
(const %openssh-accounts))))))
(define* (openssh-service #:key
(pid-file "/var/run/sshd.pid")
(port-number 22)
(permit-root-login 'without-password)
(allow-empty-passwords? #f)
(password-authentication? #t)
(pubkey-authentication? #t)
(rsa-authentication? #t)
(x11-forwarding? #f)
(protocol-number 2))
(service openssh-service-type (openssh-configuration
(pid-file pid-file)
(port-number port-number)
(permit-root-login permit-root-login)
(allow-empty-passwords? allow-empty-passwords?)
(password-authentication? password-authentication?)
(pubkey-authentication? pubkey-authentication?)
(rsa-authentication? rsa-authentication?)
(x11-forwarding? x11-forwarding?)
(protocol-number protocol-number))))
;;;
;;; Dropbear.