guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

10/13: services: hurd-vm: Disable password-based authentication for root


From: guix-commits
Subject: 10/13: services: hurd-vm: Disable password-based authentication for root.
Date: Sun, 1 Oct 2023 17:02:33 -0400 (EDT)

civodul pushed a commit to branch master
in repository guix.

commit c3a19cc2ac7ddc821d7fc56455f68546b087be47
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Thu Sep 21 18:01:17 2023 +0200

    services: hurd-vm: Disable password-based authentication for root.
    
    With offloading to a childhurd is enabled, allowing password-less root
    login in the childhurd to anyone amounts to providing write access to
    the host’s store to anyone.  Thus, disable password-based root logins in
    the childhurd.
    
    * gnu/services/virtualization.scm (%hurd-vm-operating-system): Change
    ‘permit-root-login’ to 'prohibit-password.
    * gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’
    field for ‘hurd-vm-configuration’.
    * doc/guix.texi (Virtualization Services): Remove mention of
    password-less root login.
---
 doc/guix.texi                   |  5 -----
 gnu/services/virtualization.scm |  2 +-
 gnu/tests/virtualization.scm    | 15 ++++++++++++++-
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 1869b59ef6..04d2ad0a69 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -35722,11 +35722,6 @@ guix shell tigervnc-client -- vncviewer localhost:5900
 The default configuration (see @code{hurd-vm-configuration} below)
 spawns a secure shell (SSH) server in your GNU/Hurd system, which QEMU
 (the virtual machine emulator) redirects to port 10222 on the host.
-Thus, you can connect over SSH to the childhurd with:
-
-@example
-ssh root@@localhost -p 10022
-@end example
 
 The childhurd is volatile and stateless: it starts with a fresh root
 file system every time you restart it.  By default though, all the files
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 258b503461..930c2ce702 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -1080,7 +1080,7 @@ that will be listening to receive secret keys on port 
1004, TCP."
                         (openssh-configuration
                          (openssh openssh-sans-x)
                          (use-pam? #f)
-                         (permit-root-login #t)
+                         (permit-root-login 'prohibit-password)
                          (allow-empty-passwords? #t)
                          (password-authentication? #t)))
 
diff --git a/gnu/tests/virtualization.scm b/gnu/tests/virtualization.scm
index 9e7928703e..599e58edf0 100644
--- a/gnu/tests/virtualization.scm
+++ b/gnu/tests/virtualization.scm
@@ -31,6 +31,7 @@
   #:use-module (gnu services)
   #:use-module (gnu services dbus)
   #:use-module (gnu services networking)
+  #:use-module (gnu services ssh)
   #:use-module (gnu services virtualization)
   #:use-module (gnu packages ssh)
   #:use-module (gnu packages virtualization)
@@ -228,7 +229,19 @@
 (define %childhurd-os
   (simple-operating-system
    (service dhcp-client-service-type)
-   (service hurd-vm-service-type)))
+   (service hurd-vm-service-type
+            (hurd-vm-configuration
+             ;; Allow root login with an empty password to simplify the test
+             ;; below.
+             (os (operating-system
+                   (inherit %hurd-vm-operating-system)
+                   (services
+                    (modify-services (operating-system-user-services
+                                      %hurd-vm-operating-system)
+                      (openssh-service-type
+                       config => (openssh-configuration
+                                  (inherit config)
+                                  (permit-root-login #t)))))))))))
 
 (define (run-childhurd-test)
   (define os



reply via email to

[Prev in Thread] Current Thread [Next in Thread]