[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/2] Openssh service patches
|
From: |
ng0 |
|
Subject: |
Re: [PATCH 0/2] Openssh service patches |
|
Date: |
Fri, 17 Feb 2017 17:18:33 +0000 |
On 17-02-17 17:37:06, Clément Lassieur wrote:
> The first patch adds PAM to OpenSSH service, and enables it by default.
Definitely a good idea. If this is applied I think it should be
communicated if it breaks peoples configurations. On the other hand,
guix reconfigure lint already complains if an option is no longer
present.
I think notifying about certain changes if they break previous
configurations is nice to have (but not mandatory, just the way I would do it).
The code looks reasonable, I haven't applied the changes to review it.
> This allows to log in (with a public key) if the account is locked.
> Otherwise, one would have to set up a password manually or, say, put '*' in
> /etc/shadow (with 'usermod -p'). It matters because accounts created by
> GuixSD are locked.
>
> Whether to enable it by default is debatable because it is disabled upstream,
> but it is enabled on every distribution I had a look at.
>
> The relevant part of the documentation is:
>
> --8<---------------cut here---------------start------------->8---
> UsePAM Enables the Pluggable Authentication Module interface. If set to
> yes this will enable PAM authentication using
> ChallengeResponseAuthentication and PasswordAuthentication in
> addition to PAM account and session module processing for all
> authentication types.
>
> Because PAM challenge-response authentication usually serves an
> equivalent role to password authentication, you should disable
> either PasswordAuthentication or ChallengeResponseAuthentication.
>
> If UsePAM is enabled, you will not be able to run sshd(8) as a
> non-root user. The default is no.
> --8<---------------cut here---------------end--------------->8---
>
> It also explains why I set ChallengeResponseAuthentication to 'no' by default.
>
> The second patch removes the 'RSAAuthentication' option, which causes warnings
> because it is deprecated.
>
> Clément Lassieur (2):
> services: openssh: Use PAM in sshd by default.
> services: openssh: remove deprecated 'RSAAuthentication' option.
>
> gnu/services/ssh.scm | 24 ++++++++++++++++++------
> 1 file changed, 18 insertions(+), 6 deletions(-)
>
> --
> 2.11.1
>
>
--
ng0 -- https://www.inventati.org/patternsinthechaos/
- [PATCH 0/2] Openssh service patches, Clément Lassieur, 2017/02/17
- [PATCH 2/2] services: openssh: remove deprecated 'RSAAuthentication' option., Clément Lassieur, 2017/02/17
- [PATCH 1/2] services: openssh: Use PAM in sshd by default., Clément Lassieur, 2017/02/17
- Re: [PATCH 0/2] Openssh service patches,
ng0 <=
- Re: [PATCH 0/2] Openssh service patches, Julien Lepiller, 2017/02/17
- [PATCH 1/2] services: openssh: Enable PAM., Clément Lassieur, 2017/02/18
- [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., Clément Lassieur, 2017/02/18
- Re: [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., Ricardo Wurmus, 2017/02/18
- Re: [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., Clément Lassieur, 2017/02/18
- Re: [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., ng0, 2017/02/19
- [PATCH 0/4] Openssh service patches, Clément Lassieur, 2017/02/20
- [PATCH 4/4] services: openssh: Add 'subsystems' option., Clément Lassieur, 2017/02/20
- [PATCH 2/4] services: openssh: Remove deprecated options., Clément Lassieur, 2017/02/20
- [PATCH 3/4] services: openssh: Fix 'PrintLastLog' default behaviour., Clément Lassieur, 2017/02/20