summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/guix.texi91
-rw-r--r--gnu/services/ssh.scm51
2 files changed, 78 insertions, 64 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index b670823753..73570277f6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -8281,40 +8281,67 @@ root.
The other options should be self-descriptive.
@end deffn
-@deffn {Scheme Procedure} openssh-service [#:pid-file "/var/run/sshd.pid"] @
- [#:port-number 22] [#:permit-root-login 'without-password] @
- [#:allow-empty-passwords #f] [#:password-authentication? #t] @
- [#:pubkey-authentication? #t] [#:rsa-authentication? #t] @
- [#:x11-forwarding? #f] [#:protocol-number "2"]
-Run the @command{sshd} program from @var{openssh} on port
-@var{port-number}. @command{sshd} runs an SSH daemon and writes its PID
-to @var{pid-file}. It understands SSH protocol
-@var{protocol-number}. The @var{protocol-number} can be either 1 or 2.
-
-@var{permit-root-login} takes one of @code{#t}, @code{'without-password}
-and @code{#f}. It is used to allow root login through SSH.
-@code{'without-password} means that root login is allowed, but not with
-password-based authentication.
-
-When @var{allow-empty-passwords?} is true, users with empty passwords
-may log in. When false, they may not.
-
-When @var{password-authentication?} is true, users may log in with their
-password. When false, they have to use other means of authentication.
-
-When @var{pubkey-authentication?} is true, users may log in using public
-key authentication. When false, users have to use other means of
-authentication. Authorized public keys are stored in
-@file{~/.ssh/authorized_keys}. This is used only by protocol version 2.
-
-When @var{rsa-authentication?} is true, users may log in using pure RSA
-authentication. When false, users have to use other means of
-authentication. This is used only by protocol 1.
-
-When @var{x11-forwarding?} is true, @command{ssh} options @option{-X}
-and @option{-Y} will work.
+@deffn {Scheme Variable} openssh-service-type
+This is the type for the @uref{http://www.openssh.org, OpenSSH} secure
+shell daemon, @command{sshd}. Its value must be an
+@code{openssh-configuration} record as in this example:
+
+@example
+(service openssh-service-type
+ (openssh-configuration
+ (x11-forwarding? #t)
+ (permit-root-login 'without-password)))
+@end example
+
+See below for details about @code{openssh-configuration}.
@end deffn
+@deftp {Data Type} openssh-configuration
+This is the configuration record for OpenSSH's @command{sshd}.
+
+@table @asis
+@item @code{pid-file} (default: @code{"/var/run/sshd.pid"})
+Name of the file where @command{sshd} writes its PID.
+
+@item @code{port-number} (default: @code{22})
+TCP port on which @command{sshd} listens for incoming connections.
+
+@item @code{permit-root-login} (default: @code{#f})
+This field determines whether and when to allow logins as root. If
+@code{#f}, root logins are disallowed; if @code{#t}, they are allowed.
+If it's the symbol @code{'without-password}, then root logins are
+permitted but not with password-based authentication.
+
+@item @code{allow-empty-passwords?} (default: @code{#f})
+When true, users with empty passwords may log in. When false, they may
+not.
+
+@item @code{password-authentication?} (default: @code{#t})
+When true, users may log in with their password. When false, they have
+other authentication methods.
+
+@item @code{public-key-authentication?} (default: @code{#t})
+When true, users may log in using public key authentication. When
+false, users have to use other authentication method.
+
+Authorized public keys are stored in @file{~/.ssh/authorized_keys}.
+This is used only by protocol version 2.
+
+@item @code{rsa-authentication?} (default: @code{#t})
+When true, users may log in using pure RSA authentication. When false,
+users have to use other means of authentication. This is used only by
+protocol 1.
+
+@item @code{x11-forwarding?} (default: @code{#f})
+When true, forwarding of X11 graphical client connections is
+enabled---in other words, @command{ssh} options @option{-X} and
+@option{-Y} will work.
+
+@item @code{protocol-number} (default: @code{2})
+The SSH protocol number to use.
+@end table
+@end deftp
+
@deffn {Scheme Procedure} dropbear-service [@var{config}]
Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
daemon} with the given @var{config}, a @code{<dropbear-configuration>}
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index 084f8fa4ea..6da612da67 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -50,7 +50,6 @@
;;;
;;; Code:
-;; TODO: Export.
(define-record-type* <lsh-configuration>
lsh-configuration make-lsh-configuration
lsh-configuration?
@@ -261,15 +260,24 @@ The other options should be self-descriptive."
(define-record-type* <openssh-configuration>
openssh-configuration make-openssh-configuration
openssh-configuration?
- (pid-file openssh-configuration-pid-file) ;string
- (port-number openssh-configuration-port-number) ;integer
- (permit-root-login openssh-configuration-permit-root-login) ;Boolean | 'without-password
- (allow-empty-passwords? openssh-configuration-allow-empty-passwords?) ;Boolean
- (password-authentication? openssh-configuration-password-authentication?) ;Boolean
- (pubkey-authentication? openssh-configuration-pubkey-authentication?) ;Boolean
- (rsa-authentication? openssh-configuration-rsa-authentication?) ;Boolean
- (x11-forwarding? openssh-configuration-x11-forwarding?) ;Boolean
- (protocol-number openssh-configuration-protocol-number)) ;integer
+ (pid-file openssh-configuration-pid-file
+ (default "/var/run/sshd.pid"))
+ (port-number openssh-configuration-port-number ;integer
+ (default 22))
+ (permit-root-login openssh-configuration-permit-root-login ;Boolean | 'without-password
+ (default #f))
+ (allow-empty-passwords? openssh-configuration-allow-empty-passwords? ;Boolean
+ (default #f))
+ (password-authentication? openssh-configuration-password-authentication? ;Boolean
+ (default #t))
+ (public-key-authentication? openssh-configuration-public-key-authentication?
+ (default #t)) ;Boolean
+ (rsa-authentication? openssh-configuration-rsa-authentication? ;Boolean
+ (default #t))
+ (x11-forwarding? openssh-configuration-x11-forwarding? ;Boolean
+ (default #f))
+ (protocol-number openssh-configuration-protocol-number ;integer
+ (default 2)))
(define %openssh-accounts
(list (user-group (name "sshd") (system? #t))
@@ -314,7 +322,7 @@ The other options should be self-descriptive."
#$(if (openssh-configuration-password-authentication? config)
"yes" "no"))
(format port "PubkeyAuthentication ~a\n"
- #$(if (openssh-configuration-pubkey-authentication? config)
+ #$(if (openssh-configuration-public-key-authentication? config)
"yes" "no"))
(format port "RSAAuthentication ~a\n"
#$(if (openssh-configuration-rsa-authentication? config)
@@ -354,27 +362,6 @@ The other options should be self-descriptive."
(service-extension account-service-type
(const %openssh-accounts))))))
-(define* (openssh-service #:key
- (pid-file "/var/run/sshd.pid")
- (port-number 22)
- (permit-root-login 'without-password)
- (allow-empty-passwords? #f)
- (password-authentication? #t)
- (pubkey-authentication? #t)
- (rsa-authentication? #t)
- (x11-forwarding? #f)
- (protocol-number 2))
- (service openssh-service-type (openssh-configuration
- (pid-file pid-file)
- (port-number port-number)
- (permit-root-login permit-root-login)
- (allow-empty-passwords? allow-empty-passwords?)
- (password-authentication? password-authentication?)
- (pubkey-authentication? pubkey-authentication?)
- (rsa-authentication? rsa-authentication?)
- (x11-forwarding? x11-forwarding?)
- (protocol-number protocol-number))))
-
;;;
;;; Dropbear.