diff options
author | Janneke Nieuwenhuizen <janneke@gnu.org> | 2023-04-19 18:28:16 +0200 |
---|---|---|
committer | Janneke Nieuwenhuizen <janneke@gnu.org> | 2023-05-24 11:56:12 +0200 |
commit | c57693846c7c6586c6cd1b4e4002fe399e3a2c42 (patch) | |
tree | 3b124e97202a9f6dad9218f1a74fdcb142bd12c9 | |
parent | 0d82148858f98045d1b399be91bd935278d24e12 (diff) | |
download | guix-c57693846c7c6586c6cd1b4e4002fe399e3a2c42.tar.gz |
home: services: ssh: Do not empty ~/.ssh/authorized_keys by default.
The default was an empty list which would remove any ~/.ssh/authorized_keys file and replace it with a symlink to an empty file. On some systems, notably Ubuntu 22.10, the guix home generated ~/.ssh/authorized_keys file does not allow login. * doc/guix.texi (Secure Shell): Update, describe default #false value. * gnu/home/services/ssh.scm (<home-openssh-configuration>) [authorized-keys]: Change default to #f. (openssh-configuration-files): Cater for default #f value: Do not register "authorized_keys".
-rw-r--r-- | doc/guix.texi | 8 | ||||
-rw-r--r-- | gnu/home/services/ssh.scm | 22 |
2 files changed, 17 insertions, 13 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index f4cca66d76..3cd9582558 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42960,9 +42960,11 @@ stateless: it can be replicated elsewhere or at another point in time. Preparing this list can be relatively tedious though, which is why @code{*unspecified*} is kept as a default. -@item @code{authorized-keys} (default: @code{'()}) -This must be a list of file-like objects, each of which containing an -SSH public key that should be authorized to connect to this machine. +@item @code{authorized-keys} (default: @code{#false}) +The default @code{#false} value means: Leave any +@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a +list of file-like objects, each of which containing an SSH public key +that should be authorized to connect to this machine. Concretely, these files are concatenated and made available as @file{~/.ssh/authorized_keys}. If an OpenSSH server, @command{sshd}, is diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm index 6aeb6ad5a7..628dc743ae 100644 --- a/gnu/home/services/ssh.scm +++ b/gnu/home/services/ssh.scm @@ -249,7 +249,7 @@ through before connecting to the server.") home-openssh-configuration make-home-openssh-configuration home-openssh-configuration? (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like - (default '())) + (default #f)) (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like (default *unspecified*)) (hosts home-openssh-configuration-hosts ;list of <openssh-host> @@ -285,19 +285,21 @@ inserted after each of them." '#$files))))))) (define (openssh-configuration-files config) - (let ((config (plain-file "ssh.conf" - (openssh-configuration->string config))) - (known-hosts (home-openssh-configuration-known-hosts config)) - (authorized-keys (file-join - "authorized_keys" - (home-openssh-configuration-authorized-keys config) - "\n"))) - `((".ssh/authorized_keys" ,authorized-keys) + (let* ((ssh-config (plain-file "ssh.conf" + (openssh-configuration->string config))) + (known-hosts (home-openssh-configuration-known-hosts config)) + (authorized-keys (home-openssh-configuration-authorized-keys config)) + (authorized-keys (and + authorized-keys + (file-join "authorized_keys" authorized-keys "\n")))) + `(,@(if authorized-keys + `((".ssh/authorized_keys" ,authorized-keys)) + '()) ,@(if (unspecified? known-hosts) '() `((".ssh/known_hosts" ,(file-join "known_hosts" known-hosts "\n")))) - (".ssh/config" ,config)))) + (".ssh/config" ,ssh-config)))) (define openssh-activation (with-imported-modules (source-module-closure |