HCoop / jackhill / guix / guix.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
gnu: java-simple-xml: Fix java8 test failures.
[jackhill/guix/guix.git] / gnu / services / ssh.scm
CommitLineData
f33e2d78 1;;; GNU Guix --- Functional package management for GNU
3d3c5650 2;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org>
71b0601a 3;;; Copyright © 2016 David Craven <david@craven.ch>
86d8f6d3 4;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
e57bd0be 5;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
f33e2d78
LC		 6;;;
7;;; This file is part of GNU Guix.
8;;;
9;;; GNU Guix is free software; you can redistribute it and/or modify it
10;;; under the terms of the GNU General Public License as published by
11;;; the Free Software Foundation; either version 3 of the License, or (at
12;;; your option) any later version.
13;;;
14;;; GNU Guix is distributed in the hope that it will be useful, but
15;;; WITHOUT ANY WARRANTY; without even the implied warranty of
16;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17;;; GNU General Public License for more details.
18;;;
19;;; You should have received a copy of the GNU General Public License
20;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
21
22(define-module (gnu services ssh)
71b0601a 23 #:use-module (gnu packages ssh)
86d8f6d3 24 #:use-module (gnu packages admin)
f33e2d78 25 #:use-module (gnu services)
0190c1c0 26 #:use-module (gnu services shepherd)
6e828634 27 #:use-module (gnu system pam)
86d8f6d3 28 #:use-module (gnu system shadow)
71b0601a
DC		 29 #:use-module (guix gexp)
30 #:use-module (guix records)
4892eb7c 31 #:use-module (guix modules)
1398a438 32 #:use-module (srfi srfi-1)
fde40c98 33 #:use-module (srfi srfi-26)
86d8f6d3 34 #:use-module (ice-9 match)
24e96431
 35 #:export (lsh-configuration
36 lsh-configuration?
37 lsh-service
38 lsh-service-type
71b0601a 39
86d8f6d3
JL		 40 openssh-configuration
41 openssh-configuration?
42 openssh-service-type
86d8f6d3 43
71b0601a
DC		 44 dropbear-configuration
45 dropbear-configuration?
46 dropbear-service-type
47 dropbear-service))
f33e2d78
LC		 48
49;;; Commentary:
50;;;
51;;; This module implements secure shell (SSH) services.
52;;;
53;;; Code:
54
0adfe95a
LC		 55(define-record-type* <lsh-configuration>
56 lsh-configuration make-lsh-configuration
57 lsh-configuration?
58 (lsh lsh-configuration-lsh
59 (default lsh))
60 (daemonic? lsh-configuration-daemonic?)
61 (host-key lsh-configuration-host-key)
62 (interfaces lsh-configuration-interfaces)
63 (port-number lsh-configuration-port-number)
64 (allow-empty-passwords? lsh-configuration-allow-empty-passwords?)
65 (root-login? lsh-configuration-root-login?)
66 (syslog-output? lsh-configuration-syslog-output?)
67 (pid-file? lsh-configuration-pid-file?)
68 (pid-file lsh-configuration-pid-file)
69 (x11-forwarding? lsh-configuration-x11-forwarding?)
70 (tcp/ip-forwarding? lsh-configuration-tcp/ip-forwarding?)
71 (password-authentication? lsh-configuration-password-authentication?)
72 (public-key-authentication? lsh-configuration-public-key-authentication?)
73 (initialize? lsh-configuration-initialize?))
74
f33e2d78
LC		 75(define %yarrow-seed
76 "/var/spool/lsh/yarrow-seed-file")
77
0adfe95a
LC		 78(define (lsh-initialization lsh host-key)
79 "Return the gexp to initialize the LSH service for HOST-KEY."
f33e2d78
LC		 80 #~(begin
81 (unless (file-exists? #$%yarrow-seed)
82 (system* (string-append #$lsh "/bin/lsh-make-seed")
83 "--sloppy" "-o" #$%yarrow-seed))
84
85 (unless (file-exists? #$host-key)
86 (mkdir-p (dirname #$host-key))
87 (format #t "creating SSH host key '~a'...~%" #$host-key)
88
89 ;; FIXME: We're just doing a simple pipeline, but 'system' cannot be
90 ;; used yet because /bin/sh might be dangling; factorize this somehow.
91 (let* ((in+out (pipe))
92 (keygen (primitive-fork)))
93 (case keygen
94 ((0)
95 (close-port (car in+out))
96 (close-fdes 1)
97 (dup2 (fileno (cdr in+out)) 1)
98 (execl (string-append #$lsh "/bin/lsh-keygen")
99 "lsh-keygen" "--server"))
100 (else
101 (let ((write-key (primitive-fork)))
102 (case write-key
103 ((0)
104 (close-port (cdr in+out))
105 (close-fdes 0)
106 (dup2 (fileno (car in+out)) 0)
107 (execl (string-append #$lsh "/bin/lsh-writekey")
108 "lsh-writekey" "--server" "-o" #$host-key))
109 (else
110 (close-port (car in+out))
111 (close-port (cdr in+out))
112 (waitpid keygen)
113 (waitpid write-key))))))))))
114
0adfe95a
LC		 115(define (lsh-activation config)
116 "Return the activation gexp for CONFIG."
117 #~(begin
118 (use-modules (guix build utils))
119 (mkdir-p "/var/spool/lsh")
120 #$(if (lsh-configuration-initialize? config)
121 (lsh-initialization (lsh-configuration-lsh config)
122 (lsh-configuration-host-key config))
123 #t)))
124
d4053c71
AK		 125(define (lsh-shepherd-service config)
126 "Return a <shepherd-service> for lsh with CONFIG."
0adfe95a
LC		 127 (define lsh (lsh-configuration-lsh config))
128 (define pid-file (lsh-configuration-pid-file config))
129 (define pid-file? (lsh-configuration-pid-file? config))
130 (define daemonic? (lsh-configuration-daemonic? config))
131 (define interfaces (lsh-configuration-interfaces config))
132
133 (define lsh-command
134 (append
9e41130b 135 (cons (file-append lsh "/sbin/lshd")
0adfe95a
LC		 136 (if daemonic?
137 (let ((syslog (if (lsh-configuration-syslog-output? config)
138 '()
139 (list "--no-syslog"))))
140 (cons "--daemonic"
141 (if pid-file?
142 (cons #~(string-append "--pid-file=" #$pid-file)
143 syslog)
144 (cons "--no-pid-file" syslog))))
145 (if pid-file?
146 (list #~(string-append "--pid-file=" #$pid-file))
147 '())))
148 (cons* #~(string-append "--host-key="
149 #$(lsh-configuration-host-key config))
150 #~(string-append "--password-helper=" #$lsh "/sbin/lsh-pam-checkpw")
151 #~(string-append "--subsystems=sftp=" #$lsh "/sbin/sftp-server")
152 "-p" (number->string (lsh-configuration-port-number config))
153 (if (lsh-configuration-password-authentication? config)
154 "--password" "--no-password")
155 (if (lsh-configuration-public-key-authentication? config)
156 "--publickey" "--no-publickey")
157 (if (lsh-configuration-root-login? config)
158 "--root-login" "--no-root-login")
159 (if (lsh-configuration-x11-forwarding? config)
160 "--x11-forward" "--no-x11-forward")
161 (if (lsh-configuration-tcp/ip-forwarding? config)
162 "--tcpip-forward" "--no-tcpip-forward")
163 (if (null? interfaces)
164 '()
fde40c98
LC		 165 (map (cut string-append "--interface=" <>)
166 interfaces)))))
0adfe95a
LC		 167
168 (define requires
169 (if (and daemonic? (lsh-configuration-syslog-output? config))
170 '(networking syslogd)
171 '(networking)))
172
d4053c71 173 (list (shepherd-service
0adfe95a
LC		 174 (documentation "GNU lsh SSH server")
175 (provision '(ssh-daemon))
176 (requirement requires)
177 (start #~(make-forkexec-constructor (list #$@lsh-command)))
178 (stop #~(make-kill-destructor)))))
179
180(define (lsh-pam-services config)
181 "Return a list of <pam-services> for lshd with CONFIG."
182 (list (unix-pam-service
183 "lshd"
184 #:allow-empty-passwords?
185 (lsh-configuration-allow-empty-passwords? config))))
186
187(define lsh-service-type
188 (service-type (name 'lsh)
21b71b01
LC		 189 (description
190 "Run the GNU@tie{}lsh secure shell (SSH) daemon,
191@command{lshd}.")
0adfe95a 192 (extensions
d4053c71
AK		 193 (list (service-extension shepherd-root-service-type
194 lsh-shepherd-service)
0adfe95a
LC		 195 (service-extension pam-root-service-type
196 lsh-pam-services)
197 (service-extension activation-service-type
198 lsh-activation)))))
199
f33e2d78
LC		 200(define* (lsh-service #:key
201 (lsh lsh)
5833bf33 202 (daemonic? #t)
f33e2d78
LC		 203 (host-key "/etc/lsh/host-key")
204 (interfaces '())
205 (port-number 22)
206 (allow-empty-passwords? #f)
207 (root-login? #f)
208 (syslog-output? #t)
5833bf33
DP		 209 (pid-file? #f)
210 (pid-file "/var/run/lshd.pid")
f33e2d78
LC		 211 (x11-forwarding? #t)
212 (tcp/ip-forwarding? #t)
213 (password-authentication? #t)
214 (public-key-authentication? #t)
21cc905a 215 (initialize? #t))
f33e2d78
LC		 216 "Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}.
217@var{host-key} must designate a file containing the host key, and readable
218only by root.
219
5833bf33
DP		 220When @var{daemonic?} is true, @command{lshd} will detach from the
221controlling terminal and log its output to syslogd, unless one sets
222@var{syslog-output?} to false. Obviously, it also makes lsh-service
223depend on existence of syslogd service. When @var{pid-file?} is true,
224@command{lshd} writes its PID to the file called @var{pid-file}.
225
f33e2d78
LC		 226When @var{initialize?} is true, automatically create the seed and host key
227upon service activation if they do not exist yet. This may take long and
228require interaction.
229
20dd519c
LC		 230When @var{initialize?} is false, it is up to the user to initialize the
231randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
232a key pair with the private key stored in file @var{host-key} (@pxref{lshd
233basics,,, lsh, LSH Manual}).
234
f33e2d78
LC		 235When @var{interfaces} is empty, lshd listens for connections on all the
236network interfaces; otherwise, @var{interfaces} must be a list of host names
237or addresses.
238
20dd519c
LC		 239@var{allow-empty-passwords?} specifies whether to accept log-ins with empty
240passwords, and @var{root-login?} specifies whether to accept log-ins as
f33e2d78
LC		 241root.
242
243The other options should be self-descriptive."
0adfe95a
LC		 244 (service lsh-service-type
245 (lsh-configuration (lsh lsh) (daemonic? daemonic?)
246 (host-key host-key) (interfaces interfaces)
247 (port-number port-number)
248 (allow-empty-passwords? allow-empty-passwords?)
249 (root-login? root-login?)
250 (syslog-output? syslog-output?)
251 (pid-file? pid-file?) (pid-file pid-file)
252 (x11-forwarding? x11-forwarding?)
253 (tcp/ip-forwarding? tcp/ip-forwarding?)
254 (password-authentication?
255 password-authentication?)
256 (public-key-authentication?
257 public-key-authentication?)
258 (initialize? initialize?))))
f33e2d78 259
71b0601a 260\f
86d8f6d3
JL		 261;;;
262;;; OpenSSH.
263;;;
264
265(define-record-type* <openssh-configuration>
266 openssh-configuration make-openssh-configuration
267 openssh-configuration?
4ca3e9b7
CL		 268 ;; <package>
269 (openssh openssh-configuration-openssh
23f22ba8 270 (default openssh))
4ca3e9b7 271 ;; string
d8f31281
LC		 272 (pid-file openssh-configuration-pid-file
273 (default "/var/run/sshd.pid"))
4ca3e9b7
CL		 274 ;; integer
275 (port-number openssh-configuration-port-number
d8f31281 276 (default 22))
4ca3e9b7
CL		 277 ;; Boolean | 'without-password
278 (permit-root-login openssh-configuration-permit-root-login
d8f31281 279 (default #f))
4ca3e9b7
CL		 280 ;; Boolean
281 (allow-empty-passwords? openssh-configuration-allow-empty-passwords?
d8f31281 282 (default #f))
4ca3e9b7
CL		 283 ;; Boolean
284 (password-authentication? openssh-configuration-password-authentication?
d8f31281 285 (default #t))
4ca3e9b7 286 ;; Boolean
d8f31281 287 (public-key-authentication? openssh-configuration-public-key-authentication?
4ca3e9b7
CL		 288 (default #t))
289 ;; Boolean
290 (x11-forwarding? openssh-configuration-x11-forwarding?
d8f31281 291 (default #f))
4ca3e9b7 292 ;; Boolean
563c5d42 293 (challenge-response-authentication? openssh-challenge-response-authentication?
4ca3e9b7
CL		 294 (default #f))
295 ;; Boolean
563c5d42 296 (use-pam? openssh-configuration-use-pam?
4ca3e9b7
CL		 297 (default #t))
298 ;; Boolean
f895dce4 299 (print-last-log? openssh-configuration-print-last-log?
12723370
CL		 300 (default #t))
301 ;; list of two-element lists
302 (subsystems openssh-configuration-subsystems
4892eb7c
LC		 303 (default '(("sftp" "internal-sftp"))))
304
305 ;; list of user-name/file-like tuples
306 (authorized-keys openssh-authorized-keys
aab322d9
LC		 307 (default '()))
308
309 ;; Boolean
310 ;; XXX: This should really be handled in an orthogonal way, for instance as
311 ;; proposed in <https://bugs.gnu.org/27155>. Keep it internal/undocumented
312 ;; for now.
313 (%auto-start? openssh-auto-start?
314 (default #t)))
86d8f6d3
JL		 315
316(define %openssh-accounts
317 (list (user-group (name "sshd") (system? #t))
318 (user-account
319 (name "sshd")
320 (group "sshd")
321 (system? #t)
322 (comment "sshd privilege separation user")
323 (home-directory "/var/run/sshd")
324 (shell #~(string-append #$shadow "/sbin/nologin")))))
325
326(define (openssh-activation config)
327 "Return the activation GEXP for CONFIG."
4892eb7c
LC		 328 (with-imported-modules '((guix build utils))
329 #~(begin
330 (use-modules (guix build utils))
331
332 (define (touch file-name)
333 (call-with-output-file file-name (const #t)))
334
335 ;; Make sure /etc/ssh can be read by the 'sshd' user.
336 (mkdir-p "/etc/ssh")
337 (chmod "/etc/ssh" #o755)
338 (mkdir-p (dirname #$(openssh-configuration-pid-file config)))
339
340 ;; 'sshd' complains if the authorized-key directory and its parents
341 ;; are group-writable, which rules out /gnu/store. Thus we copy the
342 ;; authorized-key directory to /etc.
343 (catch 'system-error
344 (lambda ()
345 (delete-file-recursively "/etc/authorized_keys.d"))
346 (lambda args
347 (unless (= ENOENT (system-error-errno args))
348 (apply throw args))))
349 (copy-recursively #$(authorized-key-directory
350 (openssh-authorized-keys config))
351 "/etc/ssh/authorized_keys.d")
352
353 (chmod "/etc/ssh/authorized_keys.d" #o555)
354
355 (let ((lastlog "/var/log/lastlog"))
356 (when #$(openssh-configuration-print-last-log? config)
357 (unless (file-exists? lastlog)
358 (touch lastlog))))
359
360 ;; Generate missing host keys.
361 (system* (string-append #$(openssh-configuration-openssh config)
362 "/bin/ssh-keygen") "-A"))))
363
364(define (authorized-key-directory keys)
365 "Return a directory containing the authorized keys specified in KEYS, a list
366of user-name/file-like tuples."
367 (define build
368 (with-imported-modules (source-module-closure '((guix build utils)))
369 #~(begin
370 (use-modules (ice-9 match) (srfi srfi-26)
371 (guix build utils))
372
373 (mkdir #$output)
374 (for-each (match-lambda
375 ((user keys ...)
376 (let ((file (string-append #$output "/" user)))
377 (call-with-output-file file
378 (lambda (port)
379 (for-each (lambda (key)
380 (call-with-input-file key
381 (cut dump-port <> port)))
382 keys))))))
383 '#$keys))))
384
385 (computed-file "openssh-authorized-keys" build))
86d8f6d3
JL		 386
387(define (openssh-config-file config)
388 "Return the sshd configuration file corresponding to CONFIG."
389 (computed-file
390 "sshd_config"
12723370
CL		 391 #~(begin
392 (use-modules (ice-9 match))
393 (call-with-output-file #$output
394 (lambda (port)
395 (display "# Generated by 'openssh-service'.\n" port)
396 (format port "Port ~a\n"
397 #$(number->string
398 (openssh-configuration-port-number config)))
399 (format port "PermitRootLogin ~a\n"
400 #$(match (openssh-configuration-permit-root-login config)
401 (#t "yes")
402 (#f "no")
403 ('without-password "without-password")))
404 (format port "PermitEmptyPasswords ~a\n"
405 #$(if (openssh-configuration-allow-empty-passwords? config)
406 "yes" "no"))
407 (format port "PasswordAuthentication ~a\n"
408 #$(if (openssh-configuration-password-authentication? config)
409 "yes" "no"))
410 (format port "PubkeyAuthentication ~a\n"
411 #$(if (openssh-configuration-public-key-authentication?
412 config)
413 "yes" "no"))
414 (format port "X11Forwarding ~a\n"
415 #$(if (openssh-configuration-x11-forwarding? config)
416 "yes" "no"))
417 (format port "PidFile ~a\n"
418 #$(openssh-configuration-pid-file config))
419 (format port "ChallengeResponseAuthentication ~a\n"
420 #$(if (openssh-challenge-response-authentication? config)
421 "yes" "no"))
422 (format port "UsePAM ~a\n"
423 #$(if (openssh-configuration-use-pam? config)
424 "yes" "no"))
425 (format port "PrintLastLog ~a\n"
426 #$(if (openssh-configuration-print-last-log? config)
427 "yes" "no"))
4892eb7c
LC		 428
429 ;; Add '/etc/authorized_keys.d/%u', which we populate.
430 (format port "AuthorizedKeysFile \
431 .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n")
432
12723370
CL		 433 (for-each
434 (match-lambda
435 ((name command) (format port "Subsystem\t~a\t~a\n" name command)))
436 '#$(openssh-configuration-subsystems config))
437 #t)))))
86d8f6d3
JL		 438
439(define (openssh-shepherd-service config)
440 "Return a <shepherd-service> for openssh with CONFIG."
441
442 (define pid-file
443 (openssh-configuration-pid-file config))
444
445 (define openssh-command
23f22ba8 446 #~(list (string-append #$(openssh-configuration-openssh config) "/sbin/sshd")
86d8f6d3
JL		 447 "-D" "-f" #$(openssh-config-file config)))
448
449 (list (shepherd-service
450 (documentation "OpenSSH server.")
07bf68ed 451 (requirement '(syslogd))
86d8f6d3
JL		 452 (provision '(ssh-daemon))
453 (start #~(make-forkexec-constructor #$openssh-command
454 #:pid-file #$pid-file))
aab322d9
LC		 455 (stop #~(make-kill-destructor))
456 (auto-start? (openssh-auto-start? config)))))
86d8f6d3 457
563c5d42
CL		 458(define (openssh-pam-services config)
459 "Return a list of <pam-services> for sshd with CONFIG."
460 (list (unix-pam-service
461 "sshd"
462 #:allow-empty-passwords?
463 (openssh-configuration-allow-empty-passwords? config))))
464
1398a438
LC		 465(define (extend-openssh-authorized-keys config keys)
466 "Extend CONFIG with the extra authorized keys listed in KEYS."
467 (openssh-configuration
468 (inherit config)
469 (authorized-keys
470 (append (openssh-authorized-keys config) keys))))
471
86d8f6d3
JL		 472(define openssh-service-type
473 (service-type (name 'openssh)
21b71b01
LC		 474 (description
475 "Run the OpenSSH secure shell (SSH) server, @command{sshd}.")
86d8f6d3
JL		 476 (extensions
477 (list (service-extension shepherd-root-service-type
478 openssh-shepherd-service)
563c5d42
CL		 479 (service-extension pam-root-service-type
480 openssh-pam-services)
86d8f6d3
JL		 481 (service-extension activation-service-type
482 openssh-activation)
483 (service-extension account-service-type
3d3c5650 484 (const %openssh-accounts))))
1398a438
LC		 485 (compose concatenate)
486 (extend extend-openssh-authorized-keys)
3d3c5650 487 (default-value (openssh-configuration))))
86d8f6d3 488
86d8f6d3 489\f
71b0601a
DC		 490;;;
491;;; Dropbear.
492;;;
493
494(define-record-type* <dropbear-configuration>
495 dropbear-configuration make-dropbear-configuration
496 dropbear-configuration?
497 (dropbear dropbear-configuration-dropbear
498 (default dropbear))
499 (port-number dropbear-configuration-port-number
500 (default 22))
501 (syslog-output? dropbear-configuration-syslog-output?
502 (default #t))
503 (pid-file dropbear-configuration-pid-file
504 (default "/var/run/dropbear.pid"))
505 (root-login? dropbear-configuration-root-login?
506 (default #f))
507 (allow-empty-passwords? dropbear-configuration-allow-empty-passwords?
508 (default #f))
509 (password-authentication? dropbear-configuration-password-authentication?
510 (default #t)))
511
512(define (dropbear-activation config)
513 "Return the activation gexp for CONFIG."
514 #~(begin
e57bd0be 515 (use-modules (guix build utils))
71b0601a
DC		 516 (mkdir-p "/etc/dropbear")))
517
518(define (dropbear-shepherd-service config)
519 "Return a <shepherd-service> for dropbear with CONFIG."
520 (define dropbear
521 (dropbear-configuration-dropbear config))
522
523 (define pid-file
524 (dropbear-configuration-pid-file config))
525
526 (define dropbear-command
527 #~(list (string-append #$dropbear "/sbin/dropbear")
528
529 ;; '-R' allows host keys to be automatically generated upon first
530 ;; connection, at a time when /dev/urandom is more likely securely
531 ;; seeded.
532 "-F" "-R"
533
534 "-p" #$(number->string (dropbear-configuration-port-number config))
535 "-P" #$pid-file
536 #$@(if (dropbear-configuration-syslog-output? config) '() '("-E"))
537 #$@(if (dropbear-configuration-root-login? config) '() '("-w"))
538 #$@(if (dropbear-configuration-password-authentication? config)
539 '()
540 '("-s" "-g"))
541 #$@(if (dropbear-configuration-allow-empty-passwords? config)
542 '("-B")
543 '())))
544
545 (define requires
546 (if (dropbear-configuration-syslog-output? config)
547 '(networking syslogd) '(networking)))
548
549 (list (shepherd-service
550 (documentation "Dropbear SSH server.")
551 (requirement requires)
552 (provision '(ssh-daemon))
553 (start #~(make-forkexec-constructor #$dropbear-command
554 #:pid-file #$pid-file))
555 (stop #~(make-kill-destructor)))))
556
557(define dropbear-service-type
558 (service-type (name 'dropbear)
21b71b01
LC		 559 (description
560 "Run the Dropbear secure shell (SSH) server.")
71b0601a
DC		 561 (extensions
562 (list (service-extension shepherd-root-service-type
563 dropbear-shepherd-service)
564 (service-extension activation-service-type
565 dropbear-activation)))))
566
567(define* (dropbear-service #:optional (config (dropbear-configuration)))
568 "Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH
569daemon} with the given @var{config}, a @code{<dropbear-configuration>}
570object."
571 (service dropbear-service-type config))
572
f33e2d78 573;;; ssh.scm ends here
jackhill's copy of GNU Guix: https://guix.gnu.org/