[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
10/13: services: hurd-vm: Disable password-based authentication for root
From: |
guix-commits |
Subject: |
10/13: services: hurd-vm: Disable password-based authentication for root. |
Date: |
Sun, 1 Oct 2023 17:02:33 -0400 (EDT) |
civodul pushed a commit to branch master
in repository guix.
commit c3a19cc2ac7ddc821d7fc56455f68546b087be47
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Sep 21 18:01:17 2023 +0200
services: hurd-vm: Disable password-based authentication for root.
With offloading to a childhurd is enabled, allowing password-less root
login in the childhurd to anyone amounts to providing write access to
the host’s store to anyone. Thus, disable password-based root logins in
the childhurd.
* gnu/services/virtualization.scm (%hurd-vm-operating-system): Change
‘permit-root-login’ to 'prohibit-password.
* gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’
field for ‘hurd-vm-configuration’.
* doc/guix.texi (Virtualization Services): Remove mention of
password-less root login.
---
doc/guix.texi | 5 -----
gnu/services/virtualization.scm | 2 +-
gnu/tests/virtualization.scm | 15 ++++++++++++++-
3 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 1869b59ef6..04d2ad0a69 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -35722,11 +35722,6 @@ guix shell tigervnc-client -- vncviewer localhost:5900
The default configuration (see @code{hurd-vm-configuration} below)
spawns a secure shell (SSH) server in your GNU/Hurd system, which QEMU
(the virtual machine emulator) redirects to port 10222 on the host.
-Thus, you can connect over SSH to the childhurd with:
-
-@example
-ssh root@@localhost -p 10022
-@end example
The childhurd is volatile and stateless: it starts with a fresh root
file system every time you restart it. By default though, all the files
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 258b503461..930c2ce702 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -1080,7 +1080,7 @@ that will be listening to receive secret keys on port
1004, TCP."
(openssh-configuration
(openssh openssh-sans-x)
(use-pam? #f)
- (permit-root-login #t)
+ (permit-root-login 'prohibit-password)
(allow-empty-passwords? #t)
(password-authentication? #t)))
diff --git a/gnu/tests/virtualization.scm b/gnu/tests/virtualization.scm
index 9e7928703e..599e58edf0 100644
--- a/gnu/tests/virtualization.scm
+++ b/gnu/tests/virtualization.scm
@@ -31,6 +31,7 @@
#:use-module (gnu services)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
+ #:use-module (gnu services ssh)
#:use-module (gnu services virtualization)
#:use-module (gnu packages ssh)
#:use-module (gnu packages virtualization)
@@ -228,7 +229,19 @@
(define %childhurd-os
(simple-operating-system
(service dhcp-client-service-type)
- (service hurd-vm-service-type)))
+ (service hurd-vm-service-type
+ (hurd-vm-configuration
+ ;; Allow root login with an empty password to simplify the test
+ ;; below.
+ (os (operating-system
+ (inherit %hurd-vm-operating-system)
+ (services
+ (modify-services (operating-system-user-services
+ %hurd-vm-operating-system)
+ (openssh-service-type
+ config => (openssh-configuration
+ (inherit config)
+ (permit-root-login #t)))))))))))
(define (run-childhurd-test)
(define os
- branch master updated (dfaeaae9c7 -> b9fae146d6), guix-commits, 2023/10/01
- 09/13: tests: hurd-vm: Remove custom disk image configuration., guix-commits, 2023/10/01
- 05/13: services: guix: Use the right locale package on GNU/Hurd., guix-commits, 2023/10/01
- 01/13: system: vm: Remove unused variable., guix-commits, 2023/10/01
- 07/13: services: childhurd: Authorize the childhurd’s key on the host., guix-commits, 2023/10/01
- 10/13: services: hurd-vm: Disable password-based authentication for root.,
guix-commits <=
- 11/13: doc: Give an example showing how to add an account in the childhurd., guix-commits, 2023/10/01
- 02/13: secret-service: Increase default handshake timeout., guix-commits, 2023/10/01
- 08/13: services: hurd-vm: ‘image’ field has to be an <image> record., guix-commits, 2023/10/01
- 04/13: gnu: glibc-utf8-locales: Reintroduce input labels., guix-commits, 2023/10/01
- 06/13: services: guix: Support declarative offloading setup., guix-commits, 2023/10/01
- 03/13: services: hurd-vm: Use the default SSH port number., guix-commits, 2023/10/01
- 12/13: services: hurd-vm: Implement zero-configuration offloading., guix-commits, 2023/10/01
- 13/13: news: Add entry for declarative offloading., guix-commits, 2023/10/01