summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi91
-rw-r--r--gnu/services/ssh.scm51
2 files changed, 78 insertions, 64 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index b670823753..73570277f6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8281,40 +8281,67 @@ root.
 The other options should be self-descriptive.
 @end deffn
 
-@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @
-       [#:port-number 22] [#:permit-root-login 'without-password] @
-       [#:allow-empty-passwords #f] [#:password-authentication? #t] @
-       [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
-       [#:x11-forwarding? #f] [#:protocol-number "2"]
-Run the @command{sshd} program from @var{openssh} on port
-@var{port-number}.  @command{sshd} runs an SSH daemon and writes its PID
-to @var{pid-file}.  It understands SSH protocol
-@var{protocol-number}. The @var{protocol-number} can be either 1 or 2.
-
-@var{permit-root-login} takes one of @code{#t}, @code{'without-password}
-and @code{#f}.  It is used to allow root login through SSH.
-@code{'without-password} means that root login is allowed, but not with
-password-based authentication.
-
-When @var{allow-empty-passwords?} is true, users with empty passwords
-may log in.  When false, they may not.
-
-When @var{password-authentication?} is true, users may log in with their
-password.  When false, they have to use other means of authentication.
-
-When @var{pubkey-authentication?} is true, users may log in using public
-key authentication.  When false, users have to use other means of
-authentication.  Authorized public keys are stored in
-@file{~/.ssh/authorized_keys}.  This is used only by protocol version 2.
-
-When @var{rsa-authentication?} is true, users may log in using pure RSA
-authentication.  When false, users have to use other means of
-authentication.  This is used only by protocol 1.
-
-When @var{x11-forwarding?} is true, @command{ssh} options @option{-X}
-and @option{-Y} will work.
+@deffn {Scheme Variable} openssh-service-type
+This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
+shell daemon, @command{sshd}.  Its value must be an
+@code{openssh-configuration} record as in this example:
+
+@example
+(service openssh-service-type
+         (openssh-configuration
+           (x11-forwarding? #t)
+           (permit-root-login 'without-password)))
+@end example
+
+See below for details about @code{openssh-configuration}.
 @end deffn
 
+@deftp {Data Type} openssh-configuration
+This is the configuration record for OpenSSH's @command{sshd}.
+
+@table @asis
+@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
+Name of the file where @command{sshd} writes its PID.
+
+@item @code{port-number} (default: @code{22})
+TCP port on which @command{sshd} listens for incoming connections.
+
+@item @code{permit-root-login} (default: @code{#f})
+This field determines whether and when to allow logins as root.  If
+@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
+If it's the symbol @code{'without-password}, then root logins are
+permitted but not with password-based authentication.
+
+@item @code{allow-empty-passwords?} (default: @code{#f})
+When true, users with empty passwords may log in.  When false, they may
+not.
+
+@item @code{password-authentication?} (default: @code{#t})
+When true, users may log in with their password.  When false, they have
+other authentication methods.
+
+@item @code{public-key-authentication?} (default: @code{#t})
+When true, users may log in using public key authentication.  When
+false, users have to use other authentication method.
+
+Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
+This is used only by protocol version 2.
+
+@item @code{rsa-authentication?} (default: @code{#t})
+When true, users may log in using pure RSA authentication.  When false,
+users have to use other means of authentication.  This is used only by
+protocol 1.
+
+@item @code{x11-forwarding?} (default: @code{#f})
+When true, forwarding of X11 graphical client connections is
+enabled---in other words, @command{ssh} options @option{-X} and
+@option{-Y} will work.
+
+@item @code{protocol-number} (default: @code{2})
+The SSH protocol number to use.
+@end table
+@end deftp
+
 @deffn {Scheme Procedure} dropbear-service [@var{config}]
 Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
 daemon} with the given @var{config}, a @code{<dropbear-configuration>}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 084f8fa4ea..6da612da67 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -50,7 +50,6 @@
 ;;;
 ;;; Code:
 
-;; TODO: Export.
 (define-record-type* <lsh-configuration>
   lsh-configuration make-lsh-configuration
   lsh-configuration?
@@ -261,15 +260,24 @@ The other options should be self-descriptive."
 (define-record-type* <openssh-configuration>
   openssh-configuration make-openssh-configuration
   openssh-configuration?
-  (pid-file              openssh-configuration-pid-file) ;string
-  (port-number           openssh-configuration-port-number) ;integer
-  (permit-root-login     openssh-configuration-permit-root-login) ;Boolean | 'without-password
-  (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean
-  (password-authentication? openssh-configuration-password-authentication?) ;Boolean
-  (pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean
-  (rsa-authentication?   openssh-configuration-rsa-authentication?) ;Boolean
-  (x11-forwarding?       openssh-configuration-x11-forwarding?) ;Boolean
-  (protocol-number       openssh-configuration-protocol-number)) ;integer
+  (pid-file              openssh-configuration-pid-file
+                         (default "/var/run/sshd.pid"))
+  (port-number           openssh-configuration-port-number ;integer
+                         (default 22))
+  (permit-root-login     openssh-configuration-permit-root-login ;Boolean | 'without-password
+                         (default #f))
+  (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
+                          (default #f))
+  (password-authentication? openssh-configuration-password-authentication? ;Boolean
+                            (default #t))
+  (public-key-authentication? openssh-configuration-public-key-authentication?
+                              (default #t))                         ;Boolean
+  (rsa-authentication?   openssh-configuration-rsa-authentication?  ;Boolean
+                         (default #t))
+  (x11-forwarding?       openssh-configuration-x11-forwarding? ;Boolean
+                         (default #f))
+  (protocol-number       openssh-configuration-protocol-number ;integer
+                         (default 2)))
 
 (define %openssh-accounts
   (list (user-group (name "sshd") (system? #t))
@@ -314,7 +322,7 @@ The other options should be self-descriptive."
                  #$(if (openssh-configuration-password-authentication? config)
                        "yes" "no"))
          (format port "PubkeyAuthentication ~a\n"
-                 #$(if (openssh-configuration-pubkey-authentication? config)
+                 #$(if (openssh-configuration-public-key-authentication? config)
                        "yes" "no"))
          (format port "RSAAuthentication ~a\n"
                  #$(if (openssh-configuration-rsa-authentication? config)
@@ -354,27 +362,6 @@ The other options should be self-descriptive."
                        (service-extension account-service-type
                                           (const %openssh-accounts))))))
 
-(define* (openssh-service #:key
-                          (pid-file "/var/run/sshd.pid")
-                          (port-number 22)
-                          (permit-root-login 'without-password)
-                          (allow-empty-passwords? #f)
-                          (password-authentication? #t)
-                          (pubkey-authentication? #t)
-                          (rsa-authentication? #t)
-                          (x11-forwarding? #f)
-                          (protocol-number 2))
-  (service openssh-service-type (openssh-configuration
-                                 (pid-file pid-file)
-                                 (port-number port-number)
-                                 (permit-root-login permit-root-login)
-                                 (allow-empty-passwords? allow-empty-passwords?)
-                                 (password-authentication? password-authentication?)
-                                 (pubkey-authentication? pubkey-authentication?)
-                                 (rsa-authentication? rsa-authentication?)
-                                 (x11-forwarding? x11-forwarding?)
-                                 (protocol-number protocol-number))))
-
 
 ;;;
 ;;; Dropbear.