[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 0/2] Openssh service patches
|
From: |
Julien Lepiller |
|
Subject: |
Re: [PATCH 0/2] Openssh service patches |
|
Date: |
Fri, 17 Feb 2017 18:45:29 +0100 |
On Fri, 17 Feb 2017 17:18:33 +0000
ng0 <address@hidden> wrote:
> On 17-02-17 17:37:06, Clément Lassieur wrote:
> > The first patch adds PAM to OpenSSH service, and enables it by
> > default.
>
> Definitely a good idea. If this is applied I think it should be
> communicated if it breaks peoples configurations. On the other hand,
> guix reconfigure lint already complains if an option is no longer
> present.
> I think notifying about certain changes if they break previous
> configurations is nice to have (but not mandatory, just the way I
> would do it).
> The code looks reasonable, I haven't applied the changes to review it.
I haven't applied it either, but it looks good, thank you :)
Could you also document the new fields and remove the documentation for
the old one?
>
> > This allows to log in (with a public key) if the account is locked.
> > Otherwise, one would have to set up a password manually or, say,
> > put '*' in /etc/shadow (with 'usermod -p'). It matters because
> > accounts created by GuixSD are locked.
> >
> > Whether to enable it by default is debatable because it is disabled
> > upstream, but it is enabled on every distribution I had a look at.
> >
> > The relevant part of the documentation is:
> >
> > --8<---------------cut here---------------start------------->8---
> > UsePAM Enables the Pluggable Authentication Module interface. If
> > set to yes this will enable PAM authentication using
> > ChallengeResponseAuthentication and PasswordAuthentication
> > in addition to PAM account and session module processing for all
> > authentication types.
> >
> > Because PAM challenge-response authentication usually
> > serves an equivalent role to password authentication, you should
> > disable either PasswordAuthentication or
> > ChallengeResponseAuthentication.
> >
> > If UsePAM is enabled, you will not be able to run sshd(8)
> > as a non-root user. The default is no.
> > --8<---------------cut here---------------end--------------->8---
> >
> > It also explains why I set ChallengeResponseAuthentication to 'no'
> > by default.
> >
> > The second patch removes the 'RSAAuthentication' option, which
> > causes warnings because it is deprecated.
> >
> > Clément Lassieur (2):
> > services: openssh: Use PAM in sshd by default.
> > services: openssh: remove deprecated 'RSAAuthentication' option.
> >
> > gnu/services/ssh.scm | 24 ++++++++++++++++++------
> > 1 file changed, 18 insertions(+), 6 deletions(-)
> >
> > --
> > 2.11.1
> >
> >
>
- [PATCH 0/2] Openssh service patches, Clément Lassieur, 2017/02/17
- [PATCH 2/2] services: openssh: remove deprecated 'RSAAuthentication' option., Clément Lassieur, 2017/02/17
- [PATCH 1/2] services: openssh: Use PAM in sshd by default., Clément Lassieur, 2017/02/17
- Re: [PATCH 0/2] Openssh service patches, ng0, 2017/02/17
- Re: [PATCH 0/2] Openssh service patches,
Julien Lepiller <=
- [PATCH 1/2] services: openssh: Enable PAM., Clément Lassieur, 2017/02/18
- [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., Clément Lassieur, 2017/02/18
- Re: [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., Ricardo Wurmus, 2017/02/18
- Re: [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., Clément Lassieur, 2017/02/18
- Re: [PATCH 2/2] services: openssh: Remove deprecated 'RSAAuthentication' option., ng0, 2017/02/19
- [PATCH 0/4] Openssh service patches, Clément Lassieur, 2017/02/20
- [PATCH 4/4] services: openssh: Add 'subsystems' option., Clément Lassieur, 2017/02/20
- [PATCH 2/4] services: openssh: Remove deprecated options., Clément Lassieur, 2017/02/20
- [PATCH 3/4] services: openssh: Fix 'PrintLastLog' default behaviour., Clément Lassieur, 2017/02/20
- [PATCH 1/4] services: openssh: Enable PAM., Clément Lassieur, 2017/02/20