The first patch adds PAM to OpenSSH service, and enables it by default.
This allows to log in (with a public key) if the account is locked.
Otherwise, one would have to set up a password manually or, say, put '*' in
/etc/shadow (with 'usermod -p'). It matters because accounts created by
GuixSD are locked.
Whether to enable it by default is debatable because it is disabled upstream,
but it is enabled on every distribution I had a look at.
The relevant part of the documentation is:
--8<---------------cut here---------------start------------->8---
UsePAM Enables the Pluggable Authentication Module interface. If set to
yes this will enable PAM authentication using
ChallengeResponseAuthentication and PasswordAuthentication in
addition to PAM account and session module processing for all
authentication types.
Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication.
If UsePAM is enabled, you will not be able to run sshd(8) as a
non-root user. The default is no.
--8<---------------cut here---------------end--------------->8---
It also explains why I set ChallengeResponseAuthentication to 'no' by default.
The second patch removes the 'RSAAuthentication' option, which causes warnings
because it is deprecated.
Clément Lassieur (2):
services: openssh: Use PAM in sshd by default.
services: openssh: remove deprecated 'RSAAuthentication' option.
gnu/services/ssh.scm | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
--
2.11.1
