bug#26695: openssh password-authentication? should be #f by default

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#26695: openssh password-authentication? should be #f by default

From:	Chris Marusich
Subject:	bug#26695: openssh password-authentication? should be #f by default
Date:	Sun, 30 Apr 2017 12:47:22 -0700
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)

Marius Bakke <address@hidden> writes:

> Christopher Allan Webber <address@hidden> writes:
>
>> Maxim Cournoyer writes:
>>
>>> +1. Although it means the keys will have to be copied by another mean
>>> than the "ssh-copy-id" script. Maybe the configuration could accept
>>> the public key? :) I haven't checked if this is already possible.
>>
>> We have discussed in the past having some service that just copies some
>> static files on init.  That would be enough to set up public keys
>> appropriately.
>
> I think that can already be done with 'special-file-service-type'.
>
> https://lists.gnu.org/archive/html/guix-devel/2017-02/msg00332.html

Will OpenSSH know where to look, in that case?  I think a little more
work would be needed to tell OpenSSH where to look.  For example, you
would have to customize the value of AuthorizedKeysFile in the OpenSSH
daemon's config file (see 'man opensshd_config' for details).

In any case, it would be better if we could hide all of that in the
abstraction we have for the OpenSSH service.  For instance, it would be
nice if we could just specify the public keys in the operating system
configuration file, as part of the <openssh-configuration> record type.

> Another approach could be a small program that reads a configuration
> file and can also pull from e.g. the ec2 metadata service which should
> work with many "cloud" providers. Similar to "cloud-init" but Guile of
> course :)

This topic has come up before.  Cloud-init (specifically, the idea of
pulling SSH credentials in at first boot via the EC2 metadata service)
is a useful hack for systems that cannot be declaratively defined, but
for GuixSD it should not be needed.  See here for details:

https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00214.html
https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00757.html
https://lists.gnu.org/archive/html/help-guix/2016-11/msg00075.html

Somebody just needs to implement the changes to our OpenSSH service
abstraction so that we can declare the public keys in the operating
system configuration file.  Of course, to deploy onto EC2 without manual
intervention would also require more changes, but that's a separate
issue from the issue of how to get credentials onto the host.

-- 
Chris

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#26695: openssh password-authentication? should be #f by default, Christopher Allan Webber, 2017/04/28
- bug#26695: openssh password-authentication? should be #f by default, Maxim Cournoyer, 2017/04/28
  - bug#26695: openssh password-authentication? should be #f by default, Christopher Allan Webber, 2017/04/28
    - bug#26695: openssh password-authentication? should be #f by default, Maxim Cournoyer, 2017/04/28
    - bug#26695: openssh password-authentication? should be #f by default, Marius Bakke, 2017/04/28
    - bug#26695: openssh password-authentication? should be #f by default, Christopher Allan Webber, 2017/04/28
    - bug#26695: openssh password-authentication? should be #f by default, Chris Marusich <=
- bug#26695: openssh password-authentication? should be #f by default, Leo Famulari, 2017/04/28

Prev by Date: bug#26714: non-intel systems should use grub-efi
Next by Date: bug#26696: openssh: root 'without-password & password-authentication #f both breaks service
Previous by thread: bug#26695: openssh password-authentication? should be #f by default
Next by thread: bug#26695: openssh password-authentication? should be #f by default
Index(es):
- Date
- Thread