On 17-02-17 17:37:06, Clément Lassieur wrote: > The first patch adds PAM to OpenSSH service, and enables it by default.
Definitely a good idea. If this is applied I think it should be communicated if it breaks peoples configurations. On the other hand, guix reconfigure lint already complains if an option is no longer present. I think notifying about certain changes if they break previous configurations is nice to have (but not mandatory, just the way I would do it). The code looks reasonable, I haven't applied the changes to review it. > This allows to log in (with a public key) if the account is locked. > Otherwise, one would have to set up a password manually or, say, put '*' in > /etc/shadow (with 'usermod -p'). It matters because accounts created by > GuixSD are locked. > > Whether to enable it by default is debatable because it is disabled upstream, > but it is enabled on every distribution I had a look at. > > The relevant part of the documentation is: > > --8<---------------cut here---------------start------------->8--- > UsePAM Enables the Pluggable Authentication Module interface. If set to > yes this will enable PAM authentication using > ChallengeResponseAuthentication and PasswordAuthentication in > addition to PAM account and session module processing for all > authentication types. > > Because PAM challenge-response authentication usually serves an > equivalent role to password authentication, you should disable > either PasswordAuthentication or ChallengeResponseAuthentication. > > If UsePAM is enabled, you will not be able to run sshd(8) as a > non-root user. The default is no. > --8<---------------cut here---------------end--------------->8--- > > It also explains why I set ChallengeResponseAuthentication to 'no' by default. > > The second patch removes the 'RSAAuthentication' option, which causes warnings > because it is deprecated. > > Clément Lassieur (2): > services: openssh: Use PAM in sshd by default. > services: openssh: remove deprecated 'RSAAuthentication' option. > > gnu/services/ssh.scm | 24 ++++++++++++++++++------ > 1 file changed, 18 insertions(+), 6 deletions(-) > > -- > 2.11.1 > > -- ng0 -- https://www.inventati.org/patternsinthechaos/
