On Fri, 05 Aug 2016 15:47:50 +0200
Andy Wingo <wi...@igalia.com> wrote:
> On Fri 05 Aug 2016 14:18, Julien Lepiller <jul...@lepiller.eu> writes:
>
> > here is a patch that adds a service definition for openssh.
>
> Very nice!
>
> > + (let ((pid (primitive-fork)))
> > + (case pid
> > + ((0)
> > + (execl (string-append #$openssh "/bin/ssh-keygen")
> > + "ssh-keygen" "-A")
> > + (else
> > + (zero? (cdr (waitpid pid)))))))
>
> I guess you could system* this one instead; would be easier I think.
> Dunno.
I modified my patch, so you can choose whichever feels better.
>
> Other than that looks all good to me. Would need an addition to the
> manual eventually though.
>
> Andy
>From 198ed4efacadd72b4ccda617855fb7f409bedd3b Mon Sep 17 00:00:00 2001
From: Julien Lepiller <jul...@lepiller.eu>
Date: Fri, 5 Aug 2016 15:20:15 +0200
Subject: [PATCH] services: Add openssh
* gnu/packages/ssh.scm: Openssh reads its configuration from /etc
* gnu/services/ssh.scm: Add openssh-service
---
gnu/packages/ssh.scm | 3 +-
gnu/services/ssh.scm | 139 ++++++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 140 insertions(+), 2 deletions(-)
diff --git a/gnu/packages/ssh.scm b/gnu/packages/ssh.scm
index bca4433..eec6673 100644
--- a/gnu/packages/ssh.scm
+++ b/gnu/packages/ssh.scm
@@ -142,7 +142,8 @@ a server that supports the SSH-2 protocol.")
("zlib" ,zlib)
("xauth" ,xauth))) ;for 'ssh -X' and 'ssh -Y'
(arguments
- `(#:test-target "tests"
+ `(#:configure-flags `("--sysconfdir=/etc/ssh")
+ #:test-target "tests"
#:phases
(modify-phases %standard-phases
(add-after 'configure 'reset-/var/empty
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 9a7ea0f..60b9cec 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -19,9 +19,11 @@
(define-module (gnu services ssh)
#:use-module (gnu packages ssh)
+ #:use-module (gnu packages admin)
#:use-module (gnu services)
#:use-module (gnu services shepherd)
#:use-module (gnu system pam)
+ #:use-module (gnu system shadow)
#:use-module (guix gexp)
#:use-module (guix records)
#:use-module (srfi srfi-26)
@@ -30,6 +32,11 @@
lsh-service
lsh-service-type
+ openssh-configuration
+ openssh-configuration?
+ openssh-service-type
+ openssh-service
+
dropbear-configuration
dropbear-configuration?
dropbear-service-type
@@ -244,7 +251,137 @@ The other options should be self-descriptive."
public-key-authentication?)
(initialize? initialize?))))
-�
+;;;
+;;; OpenSSH.
+;;;
+
+(define-record-type* <openssh-configuration>
+ openssh-configuration make-openssh-configuration
+ openssh-configuration?
+ (pidfile openssh-configuration-pidfile
+ (default "/var/run/sshd.pid"))
+ (port-number openssh-configuration-port-number
+ (default 22))
+ (root-login openssh-configuration-root-login
+ (default "without-password"))
+ (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
+ (default #f))
+ (password-authentication? openssh-configuration-password-authentication?
+ (default #t))
+ (pubkey-authentication? openssh-configuration-pubkey-authentication?
+ (default #t))
+ (rsa-authentication? openssh-configuration-rsa-authentication?
+ (default #t))
+ (x11-forwarding? openssh-configuration-x11-forwarding?
+ (default #f))
+ (protocol-number openssh-configuration-protocol-number
+ (default "2")))
+
+(define %openssh-accounts
+ (list (user-group (name "sshd") (system? #t))
+ (user-account
+ (name "sshd")
+ (group "sshd")
+ (system? #t)
+ (comment "sshd privilege separation user")
+ (home-directory "/var/run/sshd")
+ (shell #~(string-append #$shadow "/sbin/nologin")))))
+
+(define (openssh-activation config)
+ "Return the activation GEXP for CONFIG."
+ #~(begin
+ (mkdir-p "/etc/ssh")
+ (mkdir-p (basename #$(openssh-configuration-pidfile config)))
+ (system* (string-append #$openssh "/bin/ssh-keygen") "-A")
+ (call-with-output-file "/etc/ssh/sshd_config"
+ (lambda (port)
+ (display
+ "# Generated by 'openssh-service'.\n"
+ port)
+ (format port "Protocol ~a\n"
+ #$(openssh-configuration-protocol-number config))
+ (format port "Port ~a\n"
+ #$(number->string (openssh-configuration-port-number config)))
+ (format port "PermitRootLogin ~a\n"
+ #$(openssh-configuration-root-login config))
+ (format port "PermitEmptyPasswords ~a\n"
+ #$(if (openssh-configuration-allow-empty-passwords? config)
+ "yes" "no"))
+ (format port "PasswordAuthentication ~a\n"
+ #$(if (openssh-configuration-password-authentication? config)
+ "yes" "no"))
+ (format port "PubkeyAuthentication ~a\n"
+ #$(if (openssh-configuration-pubkey-authentication? config)
+ "yes" "no"))
+ (format port "RSAAuthentication ~a\n"
+ #$(if (openssh-configuration-rsa-authentication? config)
+ "yes" "no"))
+ (format port "X11Forwarding ~a\n"
+ #$(if (openssh-configuration-x11-forwarding? config)
+ "yes" "no"))
+ (format port "PidFile ~a\n"
+ #$(openssh-configuration-pidfile config))))))
+
+(define (openssh-shepherd-service config)
+ "Return a <shepherd-service> for openssh with CONFIG."
+
+ (define pid-file
+ (openssh-configuration-pidfile config))
+
+ (define openssh-command
+ #~(list (string-append #$openssh "/sbin/sshd")
+ "-D"))
+
+ (define requires
+ '(networking syslogd))
+
+ (list (shepherd-service
+ (documentation "Openssh SSH server.")
+ (requirement requires)
+ (provision '(ssh-daemon))
+ (start #~(make-forkexec-constructor #$openssh-command
+ #:pid-file #$pid-file))
+ (stop #~(make-kill-destructor)))))
+
+(define openssh-service-type
+ (service-type (name 'openssh)
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ openssh-shepherd-service)
+ (service-extension activation-service-type
+ openssh-activation)
+ (service-extension account-service-type
+ (const %openssh-accounts))))))
+
+(define* (openssh-service #:optional (config (openssh-configuration)))
+ "Run the @command{sshd} program from @var{openssh} on port @var{port-number}.
+@command{sshd} runs an ssh daemon and writes its PID to @var{pidfile}. It
+understands ssh protocol @var{protocol-number}. The @var{protocol-number} can
+be one of \"1\", \"2\" or \"1,2\".
+
+@var{PermitRootLogin} takes one of @var{yes}, @var{without-password} and
+@var{no}. It is used to allow root login through ssh. @var{without-password}
+means that root login is allowed, except when loging with a password (eg: a
+public key).
+
+When @var{allow-empty-passwords?} is true, users with empty passwords may log
+in. When false, they may not.
+
+When @var{password-authentication?} is true, users may log in with their
+password. When false, they have to use other means of authentication.
+
+When @var{pubkey-authentication?} is true, users may log in using public key
+authentication. When false, users have to use other means of authentication.
+Authorized public keys are stored in ~/.ssh/authorized_keys. This is used only
+by protocol 2.
+
+When @var{rsa-authentication?} is true, users may log in using pure RSA
+authentication. When false, users have to use other means of authentication.
+This is used only by protocol 1.
+
+When @var{x11-forwarding} is true, @command{ssh} options -X and -Y will work."
+ (service openssh-service-type config))
+
;;;
;;; Dropbear.
;;;
--
2.9.2
