diff options
| -rw-r--r-- | doc/guix.texi | 12 | ||||
| -rw-r--r-- | gnu/services/ssh.scm | 13 |
2 files changed, 20 insertions, 5 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 01c16ba85d..4b71fb7010 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -18857,7 +18857,7 @@ This is the configuration record for OpenSSH's @command{sshd}. @table @asis @item @code{openssh} (default @var{openssh}) -The Openssh package to use. +The OpenSSH package to use. @item @code{pid-file} (default: @code{"/var/run/sshd.pid"}) Name of the file where @command{sshd} writes its PID. @@ -18978,6 +18978,16 @@ Additional authorized keys can be specified @i{via} Note that this does @emph{not} interfere with the use of @file{~/.ssh/authorized_keys}. +@item @code{generate-host-keys?} (default: @code{#t}) +Whether to generate host key pairs with @command{ssh-keygen -A} under +@file{/etc/ssh} if there are none. + +Generating key pairs takes a few seconds when enough entropy is +available and is only done once. You might want to turn it off for +instance in a virtual machine that does not need it because host keys +are provided in some other way, and where the extra boot time is a +problem. + @item @code{log-level} (default: @code{'info}) This is a symbol specifying the logging level: @code{quiet}, @code{fatal}, @code{error}, @code{info}, @code{verbose}, @code{debug}, etc. See the man diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 97f74a00f7..433a0e8f91 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -1,5 +1,5 @@ ;;; GNU Guix --- Functional package management for GNU -;;; Copyright © 2014, 2015, 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org> +;;; Copyright © 2014-2019, 2022 Ludovic Courtès <ludo@gnu.org> ;;; Copyright © 2016 David Craven <david@craven.ch> ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu> ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> @@ -352,6 +352,10 @@ The other options should be self-descriptive." (default '())) ;; Boolean + (generate-host-keys? openssh-configuration-generate-host-keys? + (default #t)) + + ;; Boolean ;; XXX: This should really be handled in an orthogonal way, for instance as ;; proposed in <https://bugs.gnu.org/27155>. Keep it internal/undocumented ;; for now. @@ -402,9 +406,10 @@ The other options should be self-descriptive." (unless (file-exists? lastlog) (touch lastlog)))) - ;; Generate missing host keys. - (system* (string-append #$(openssh-configuration-openssh config) - "/bin/ssh-keygen") "-A")))) + (when #$(openssh-configuration-generate-host-keys? config) + ;; Generate missing host keys. + (system* (string-append #$(openssh-configuration-openssh config) + "/bin/ssh-keygen") "-A"))))) (define (authorized-key-directory keys) "Return a directory containing the authorized keys specified in KEYS, a list |