diff options
| author | Clément Lassieur <clement@lassieur.org> | 2017-03-02 22:06:27 +0100 |
|---|---|---|
| committer | Danny Milosavljevic <dannym@scratchpost.org> | 2017-03-10 19:23:43 +0100 |
| commit | 563c5d42c954eacc54151d46a04ae14b9dbb1a10 (patch) | |
| tree | 3650d8809e312bf90099b4577203b388c822cc93 | |
| parent | 856be823235d488bf5d580b0b0340ec93d042e28 (diff) | |
| download | guix-patches-563c5d42c954eacc54151d46a04ae14b9dbb1a10.tar guix-patches-563c5d42c954eacc54151d46a04ae14b9dbb1a10.tar.gz | |
services: openssh: Enable PAM.
* gnu/services/ssh.scm: (openssh-pam-services): New procedure.
(openssh-service-type): Use it to extend PAM-ROOT-SERVICE-TYPE.
(<openssh-configuration>)[challenge-response-authentication?]: New field.
(<openssh-configuration>)[use-pam?]: New field.
(openssh-config-file): Add them.
* doc/guix.texi (Networking Services): Document them.
Signed-off-by: Danny Milosavljevic <dannym@scratchpost.org>
| -rw-r--r-- | doc/guix.texi | 16 | ||||
| -rw-r--r-- | gnu/services/ssh.scm | 21 |
2 files changed, 36 insertions, 1 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 18821b9a9e..5aed6771db 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -9344,6 +9344,22 @@ enabled---in other words, @command{ssh} options @option{-X} and @item @code{protocol-number} (default: @code{2}) The SSH protocol number to use. + +@item @code{challenge-response-authentication?} (default: @code{#f}) +Specifies whether challenge response authentication is allowed (e.g. via +PAM). + +@item @code{use-pam?} (default: @code{#t}) +Enables the Pluggable Authentication Module interface. If set to +@code{#t}, this will enable PAM authentication using +@code{challenge-response-authentication?} and +@code{password-authentication?}, in addition to PAM account and session +module processing for all authentication types. + +Because PAM challenge response authentication usually serves an +equivalent role to password authentication, you should disable either +@code{challenge-response-authentication?} or +@code{password-authentication?}. @end table @end deftp diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index c1d42e70ce..716a0fbbda 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -279,7 +279,11 @@ The other options should be self-descriptive." (x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean (default #f)) (protocol-number openssh-configuration-protocol-number ;integer - (default 2))) + (default 2)) + (challenge-response-authentication? openssh-challenge-response-authentication? + (default #f)) ;Boolean + (use-pam? openssh-configuration-use-pam? + (default #t))) ;Boolean (define %openssh-accounts (list (user-group (name "sshd") (system? #t)) @@ -336,6 +340,12 @@ The other options should be self-descriptive." "yes" "no")) (format port "PidFile ~a\n" #$(openssh-configuration-pid-file config)) + (format port "ChallengeResponseAuthentication ~a\n" + #$(if (openssh-challenge-response-authentication? config) + "yes" "no")) + (format port "UsePAM ~a\n" + #$(if (openssh-configuration-use-pam? config) + "yes" "no")) #t)))) (define (openssh-shepherd-service config) @@ -356,11 +366,20 @@ The other options should be self-descriptive." #:pid-file #$pid-file)) (stop #~(make-kill-destructor))))) +(define (openssh-pam-services config) + "Return a list of <pam-services> for sshd with CONFIG." + (list (unix-pam-service + "sshd" + #:allow-empty-passwords? + (openssh-configuration-allow-empty-passwords? config)))) + (define openssh-service-type (service-type (name 'openssh) (extensions (list (service-extension shepherd-root-service-type openssh-shepherd-service) + (service-extension pam-root-service-type + openssh-pam-services) (service-extension activation-service-type openssh-activation) (service-extension account-service-type |