On Fri, 17 Feb 2017 17:18:33 +0000 ng0 <contact....@cryptolab.net> wrote:
> On 17-02-17 17:37:06, Clément Lassieur wrote: > > The first patch adds PAM to OpenSSH service, and enables it by > > default. > > Definitely a good idea. If this is applied I think it should be > communicated if it breaks peoples configurations. On the other hand, > guix reconfigure lint already complains if an option is no longer > present. > I think notifying about certain changes if they break previous > configurations is nice to have (but not mandatory, just the way I > would do it). > The code looks reasonable, I haven't applied the changes to review it. I haven't applied it either, but it looks good, thank you :) Could you also document the new fields and remove the documentation for the old one? > > > This allows to log in (with a public key) if the account is locked. > > Otherwise, one would have to set up a password manually or, say, > > put '*' in /etc/shadow (with 'usermod -p'). It matters because > > accounts created by GuixSD are locked. > > > > Whether to enable it by default is debatable because it is disabled > > upstream, but it is enabled on every distribution I had a look at. > > > > The relevant part of the documentation is: > > > > --8<---------------cut here---------------start------------->8--- > > UsePAM Enables the Pluggable Authentication Module interface. If > > set to yes this will enable PAM authentication using > > ChallengeResponseAuthentication and PasswordAuthentication > > in addition to PAM account and session module processing for all > > authentication types. > > > > Because PAM challenge-response authentication usually > > serves an equivalent role to password authentication, you should > > disable either PasswordAuthentication or > > ChallengeResponseAuthentication. > > > > If UsePAM is enabled, you will not be able to run sshd(8) > > as a non-root user. The default is no. > > --8<---------------cut here---------------end--------------->8--- > > > > It also explains why I set ChallengeResponseAuthentication to 'no' > > by default. > > > > The second patch removes the 'RSAAuthentication' option, which > > causes warnings because it is deprecated. > > > > Clément Lassieur (2): > > services: openssh: Use PAM in sshd by default. > > services: openssh: remove deprecated 'RSAAuthentication' option. > > > > gnu/services/ssh.scm | 24 ++++++++++++++++++------ > > 1 file changed, 18 insertions(+), 6 deletions(-) > > > > -- > > 2.11.1 > > > > >
