I wanted to permit root logins but only permit public key authentication in my openssh configuration. This was my original assumption of how to do it:
(service openssh-service-type (openssh-configuration (permit-root-login 'without-password) (password-authentication? #f))) However, for whatever reason, openssh fails to start with this combination. However, it turns out this is redundant, since the configuration is already only permitting with public key authentication. (service openssh-service-type (openssh-configuration (permit-root-login #t) (password-authentication? #f))) This route is sufficient. However maybe we should prevent people from accidentally causing openssh to not start. Here's a suggested route... though I haven't tested it: #+BEGIN_SRC diff diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 9917c311c..f1f2ab3dc 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -342,7 +342,13 @@ The other options should be self-descriptive." #$(match (openssh-configuration-permit-root-login config) (#t "yes") (#f "no") - ('without-password "without-password"))) + ('without-password + ;; If we've already disabled password-authentication, this + ;; is redundant, and even stops the openssh server from + ;; starting up + (if (openssh-configuration-password-authentication? config) + "without-password" + "yes")))) (format port "PermitEmptyPasswords ~a\n" #$(if (openssh-configuration-allow-empty-passwords? config) "yes" "no")) #+END_SRC