summary refs log tree commit diff
diff options
context:
space:
mode:
authorJanneke Nieuwenhuizen <janneke@gnu.org>2023-04-19 18:28:16 +0200
committerJanneke Nieuwenhuizen <janneke@gnu.org>2023-05-24 11:56:12 +0200
commitc57693846c7c6586c6cd1b4e4002fe399e3a2c42 (patch)
tree3b124e97202a9f6dad9218f1a74fdcb142bd12c9
parent0d82148858f98045d1b399be91bd935278d24e12 (diff)
downloadguix-c57693846c7c6586c6cd1b4e4002fe399e3a2c42.tar.gz
home: services: ssh: Do not empty ~/.ssh/authorized_keys by default.
The default was an empty list which would remove any ~/.ssh/authorized_keys
file and replace it with a symlink to an empty file.  On some systems, notably
Ubuntu 22.10, the guix home generated ~/.ssh/authorized_keys file does not
allow login.

* doc/guix.texi (Secure Shell): Update, describe default #false value.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)
[authorized-keys]: Change default to #f.
(openssh-configuration-files): Cater for default #f value: Do not register
"authorized_keys".
-rw-r--r--doc/guix.texi8
-rw-r--r--gnu/home/services/ssh.scm22
2 files changed, 17 insertions, 13 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index f4cca66d76..3cd9582558 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42960,9 +42960,11 @@ stateless: it can be replicated elsewhere or at another point in time.
 Preparing this list can be relatively tedious though, which is why
 @code{*unspecified*} is kept as a default.
 
-@item @code{authorized-keys} (default: @code{'()})
-This must be a list of file-like objects, each of which containing an
-SSH public key that should be authorized to connect to this machine.
+@item @code{authorized-keys} (default: @code{#false})
+The default @code{#false} value means: Leave any
+@file{~/.ssh/authorized_keys} file alone.  Otherwise, this must be a
+list of file-like objects, each of which containing an SSH public key
+that should be authorized to connect to this machine.
 
 Concretely, these files are concatenated and made available as
 @file{~/.ssh/authorized_keys}.  If an OpenSSH server, @command{sshd}, is
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 6aeb6ad5a7..628dc743ae 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -249,7 +249,7 @@ through before connecting to the server.")
   home-openssh-configuration make-home-openssh-configuration
   home-openssh-configuration?
   (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
-                   (default '()))
+                   (default #f))
   (known-hosts     home-openssh-configuration-known-hosts ;unspec | list of file-like
                    (default *unspecified*))
   (hosts           home-openssh-configuration-hosts   ;list of <openssh-host>
@@ -285,19 +285,21 @@ inserted after each of them."
                                      '#$files)))))))
 
 (define (openssh-configuration-files config)
-  (let ((config (plain-file "ssh.conf"
-                            (openssh-configuration->string config)))
-        (known-hosts (home-openssh-configuration-known-hosts config))
-        (authorized-keys (file-join
-                          "authorized_keys"
-                          (home-openssh-configuration-authorized-keys config)
-                          "\n")))
-    `((".ssh/authorized_keys" ,authorized-keys)
+  (let* ((ssh-config (plain-file "ssh.conf"
+                                 (openssh-configuration->string config)))
+         (known-hosts (home-openssh-configuration-known-hosts config))
+         (authorized-keys (home-openssh-configuration-authorized-keys config))
+         (authorized-keys (and
+                           authorized-keys
+                           (file-join "authorized_keys" authorized-keys "\n"))))
+    `(,@(if authorized-keys
+            `((".ssh/authorized_keys" ,authorized-keys))
+            '())
       ,@(if (unspecified? known-hosts)
             '()
             `((".ssh/known_hosts"
                ,(file-join "known_hosts" known-hosts "\n"))))
-      (".ssh/config" ,config))))
+      (".ssh/config" ,ssh-config))))
 
 (define openssh-activation
   (with-imported-modules (source-module-closure