Commit | Line | Data |
---|---|---|
f33e2d78 | 1 | ;;; GNU Guix --- Functional package management for GNU |
3d3c5650 | 2 | ;;; Copyright © 2014, 2015, 2016, 2017 Ludovic Courtès <ludo@gnu.org> |
71b0601a | 3 | ;;; Copyright © 2016 David Craven <david@craven.ch> |
86d8f6d3 | 4 | ;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu> |
e57bd0be | 5 | ;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org> |
f33e2d78 LC |
6 | ;;; |
7 | ;;; This file is part of GNU Guix. | |
8 | ;;; | |
9 | ;;; GNU Guix is free software; you can redistribute it and/or modify it | |
10 | ;;; under the terms of the GNU General Public License as published by | |
11 | ;;; the Free Software Foundation; either version 3 of the License, or (at | |
12 | ;;; your option) any later version. | |
13 | ;;; | |
14 | ;;; GNU Guix is distributed in the hope that it will be useful, but | |
15 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of | |
16 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
17 | ;;; GNU General Public License for more details. | |
18 | ;;; | |
19 | ;;; You should have received a copy of the GNU General Public License | |
20 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. | |
21 | ||
22 | (define-module (gnu services ssh) | |
71b0601a | 23 | #:use-module (gnu packages ssh) |
86d8f6d3 | 24 | #:use-module (gnu packages admin) |
f33e2d78 | 25 | #:use-module (gnu services) |
0190c1c0 | 26 | #:use-module (gnu services shepherd) |
6e828634 | 27 | #:use-module (gnu system pam) |
86d8f6d3 | 28 | #:use-module (gnu system shadow) |
71b0601a DC |
29 | #:use-module (guix gexp) |
30 | #:use-module (guix records) | |
4892eb7c | 31 | #:use-module (guix modules) |
1398a438 | 32 | #:use-module (srfi srfi-1) |
fde40c98 | 33 | #:use-module (srfi srfi-26) |
86d8f6d3 | 34 | #:use-module (ice-9 match) |
24e96431 TČ |
35 | #:export (lsh-configuration |
36 | lsh-configuration? | |
37 | lsh-service | |
38 | lsh-service-type | |
71b0601a | 39 | |
86d8f6d3 JL |
40 | openssh-configuration |
41 | openssh-configuration? | |
42 | openssh-service-type | |
86d8f6d3 | 43 | |
71b0601a DC |
44 | dropbear-configuration |
45 | dropbear-configuration? | |
46 | dropbear-service-type | |
47 | dropbear-service)) | |
f33e2d78 LC |
48 | |
49 | ;;; Commentary: | |
50 | ;;; | |
51 | ;;; This module implements secure shell (SSH) services. | |
52 | ;;; | |
53 | ;;; Code: | |
54 | ||
0adfe95a LC |
55 | (define-record-type* <lsh-configuration> |
56 | lsh-configuration make-lsh-configuration | |
57 | lsh-configuration? | |
58 | (lsh lsh-configuration-lsh | |
59 | (default lsh)) | |
60 | (daemonic? lsh-configuration-daemonic?) | |
61 | (host-key lsh-configuration-host-key) | |
62 | (interfaces lsh-configuration-interfaces) | |
63 | (port-number lsh-configuration-port-number) | |
64 | (allow-empty-passwords? lsh-configuration-allow-empty-passwords?) | |
65 | (root-login? lsh-configuration-root-login?) | |
66 | (syslog-output? lsh-configuration-syslog-output?) | |
67 | (pid-file? lsh-configuration-pid-file?) | |
68 | (pid-file lsh-configuration-pid-file) | |
69 | (x11-forwarding? lsh-configuration-x11-forwarding?) | |
70 | (tcp/ip-forwarding? lsh-configuration-tcp/ip-forwarding?) | |
71 | (password-authentication? lsh-configuration-password-authentication?) | |
72 | (public-key-authentication? lsh-configuration-public-key-authentication?) | |
73 | (initialize? lsh-configuration-initialize?)) | |
74 | ||
f33e2d78 LC |
75 | (define %yarrow-seed |
76 | "/var/spool/lsh/yarrow-seed-file") | |
77 | ||
0adfe95a LC |
78 | (define (lsh-initialization lsh host-key) |
79 | "Return the gexp to initialize the LSH service for HOST-KEY." | |
f33e2d78 LC |
80 | #~(begin |
81 | (unless (file-exists? #$%yarrow-seed) | |
82 | (system* (string-append #$lsh "/bin/lsh-make-seed") | |
83 | "--sloppy" "-o" #$%yarrow-seed)) | |
84 | ||
85 | (unless (file-exists? #$host-key) | |
86 | (mkdir-p (dirname #$host-key)) | |
87 | (format #t "creating SSH host key '~a'...~%" #$host-key) | |
88 | ||
89 | ;; FIXME: We're just doing a simple pipeline, but 'system' cannot be | |
90 | ;; used yet because /bin/sh might be dangling; factorize this somehow. | |
91 | (let* ((in+out (pipe)) | |
92 | (keygen (primitive-fork))) | |
93 | (case keygen | |
94 | ((0) | |
95 | (close-port (car in+out)) | |
96 | (close-fdes 1) | |
97 | (dup2 (fileno (cdr in+out)) 1) | |
98 | (execl (string-append #$lsh "/bin/lsh-keygen") | |
99 | "lsh-keygen" "--server")) | |
100 | (else | |
101 | (let ((write-key (primitive-fork))) | |
102 | (case write-key | |
103 | ((0) | |
104 | (close-port (cdr in+out)) | |
105 | (close-fdes 0) | |
106 | (dup2 (fileno (car in+out)) 0) | |
107 | (execl (string-append #$lsh "/bin/lsh-writekey") | |
108 | "lsh-writekey" "--server" "-o" #$host-key)) | |
109 | (else | |
110 | (close-port (car in+out)) | |
111 | (close-port (cdr in+out)) | |
112 | (waitpid keygen) | |
113 | (waitpid write-key)))))))))) | |
114 | ||
0adfe95a LC |
115 | (define (lsh-activation config) |
116 | "Return the activation gexp for CONFIG." | |
117 | #~(begin | |
118 | (use-modules (guix build utils)) | |
119 | (mkdir-p "/var/spool/lsh") | |
120 | #$(if (lsh-configuration-initialize? config) | |
121 | (lsh-initialization (lsh-configuration-lsh config) | |
122 | (lsh-configuration-host-key config)) | |
123 | #t))) | |
124 | ||
d4053c71 AK |
125 | (define (lsh-shepherd-service config) |
126 | "Return a <shepherd-service> for lsh with CONFIG." | |
0adfe95a LC |
127 | (define lsh (lsh-configuration-lsh config)) |
128 | (define pid-file (lsh-configuration-pid-file config)) | |
129 | (define pid-file? (lsh-configuration-pid-file? config)) | |
130 | (define daemonic? (lsh-configuration-daemonic? config)) | |
131 | (define interfaces (lsh-configuration-interfaces config)) | |
132 | ||
133 | (define lsh-command | |
134 | (append | |
9e41130b | 135 | (cons (file-append lsh "/sbin/lshd") |
0adfe95a LC |
136 | (if daemonic? |
137 | (let ((syslog (if (lsh-configuration-syslog-output? config) | |
138 | '() | |
139 | (list "--no-syslog")))) | |
140 | (cons "--daemonic" | |
141 | (if pid-file? | |
142 | (cons #~(string-append "--pid-file=" #$pid-file) | |
143 | syslog) | |
144 | (cons "--no-pid-file" syslog)))) | |
145 | (if pid-file? | |
146 | (list #~(string-append "--pid-file=" #$pid-file)) | |
147 | '()))) | |
148 | (cons* #~(string-append "--host-key=" | |
149 | #$(lsh-configuration-host-key config)) | |
150 | #~(string-append "--password-helper=" #$lsh "/sbin/lsh-pam-checkpw") | |
151 | #~(string-append "--subsystems=sftp=" #$lsh "/sbin/sftp-server") | |
152 | "-p" (number->string (lsh-configuration-port-number config)) | |
153 | (if (lsh-configuration-password-authentication? config) | |
154 | "--password" "--no-password") | |
155 | (if (lsh-configuration-public-key-authentication? config) | |
156 | "--publickey" "--no-publickey") | |
157 | (if (lsh-configuration-root-login? config) | |
158 | "--root-login" "--no-root-login") | |
159 | (if (lsh-configuration-x11-forwarding? config) | |
160 | "--x11-forward" "--no-x11-forward") | |
161 | (if (lsh-configuration-tcp/ip-forwarding? config) | |
162 | "--tcpip-forward" "--no-tcpip-forward") | |
163 | (if (null? interfaces) | |
164 | '() | |
fde40c98 LC |
165 | (map (cut string-append "--interface=" <>) |
166 | interfaces))))) | |
0adfe95a LC |
167 | |
168 | (define requires | |
169 | (if (and daemonic? (lsh-configuration-syslog-output? config)) | |
170 | '(networking syslogd) | |
171 | '(networking))) | |
172 | ||
d4053c71 | 173 | (list (shepherd-service |
0adfe95a LC |
174 | (documentation "GNU lsh SSH server") |
175 | (provision '(ssh-daemon)) | |
176 | (requirement requires) | |
177 | (start #~(make-forkexec-constructor (list #$@lsh-command))) | |
178 | (stop #~(make-kill-destructor))))) | |
179 | ||
180 | (define (lsh-pam-services config) | |
181 | "Return a list of <pam-services> for lshd with CONFIG." | |
182 | (list (unix-pam-service | |
183 | "lshd" | |
184 | #:allow-empty-passwords? | |
185 | (lsh-configuration-allow-empty-passwords? config)))) | |
186 | ||
187 | (define lsh-service-type | |
188 | (service-type (name 'lsh) | |
21b71b01 LC |
189 | (description |
190 | "Run the GNU@tie{}lsh secure shell (SSH) daemon, | |
191 | @command{lshd}.") | |
0adfe95a | 192 | (extensions |
d4053c71 AK |
193 | (list (service-extension shepherd-root-service-type |
194 | lsh-shepherd-service) | |
0adfe95a LC |
195 | (service-extension pam-root-service-type |
196 | lsh-pam-services) | |
197 | (service-extension activation-service-type | |
198 | lsh-activation))))) | |
199 | ||
f33e2d78 LC |
200 | (define* (lsh-service #:key |
201 | (lsh lsh) | |
5833bf33 | 202 | (daemonic? #t) |
f33e2d78 LC |
203 | (host-key "/etc/lsh/host-key") |
204 | (interfaces '()) | |
205 | (port-number 22) | |
206 | (allow-empty-passwords? #f) | |
207 | (root-login? #f) | |
208 | (syslog-output? #t) | |
5833bf33 DP |
209 | (pid-file? #f) |
210 | (pid-file "/var/run/lshd.pid") | |
f33e2d78 LC |
211 | (x11-forwarding? #t) |
212 | (tcp/ip-forwarding? #t) | |
213 | (password-authentication? #t) | |
214 | (public-key-authentication? #t) | |
21cc905a | 215 | (initialize? #t)) |
f33e2d78 LC |
216 | "Run the @command{lshd} program from @var{lsh} to listen on port @var{port-number}. |
217 | @var{host-key} must designate a file containing the host key, and readable | |
218 | only by root. | |
219 | ||
5833bf33 DP |
220 | When @var{daemonic?} is true, @command{lshd} will detach from the |
221 | controlling terminal and log its output to syslogd, unless one sets | |
222 | @var{syslog-output?} to false. Obviously, it also makes lsh-service | |
223 | depend on existence of syslogd service. When @var{pid-file?} is true, | |
224 | @command{lshd} writes its PID to the file called @var{pid-file}. | |
225 | ||
f33e2d78 LC |
226 | When @var{initialize?} is true, automatically create the seed and host key |
227 | upon service activation if they do not exist yet. This may take long and | |
228 | require interaction. | |
229 | ||
20dd519c LC |
230 | When @var{initialize?} is false, it is up to the user to initialize the |
231 | randomness generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create | |
232 | a key pair with the private key stored in file @var{host-key} (@pxref{lshd | |
233 | basics,,, lsh, LSH Manual}). | |
234 | ||
f33e2d78 LC |
235 | When @var{interfaces} is empty, lshd listens for connections on all the |
236 | network interfaces; otherwise, @var{interfaces} must be a list of host names | |
237 | or addresses. | |
238 | ||
20dd519c LC |
239 | @var{allow-empty-passwords?} specifies whether to accept log-ins with empty |
240 | passwords, and @var{root-login?} specifies whether to accept log-ins as | |
f33e2d78 LC |
241 | root. |
242 | ||
243 | The other options should be self-descriptive." | |
0adfe95a LC |
244 | (service lsh-service-type |
245 | (lsh-configuration (lsh lsh) (daemonic? daemonic?) | |
246 | (host-key host-key) (interfaces interfaces) | |
247 | (port-number port-number) | |
248 | (allow-empty-passwords? allow-empty-passwords?) | |
249 | (root-login? root-login?) | |
250 | (syslog-output? syslog-output?) | |
251 | (pid-file? pid-file?) (pid-file pid-file) | |
252 | (x11-forwarding? x11-forwarding?) | |
253 | (tcp/ip-forwarding? tcp/ip-forwarding?) | |
254 | (password-authentication? | |
255 | password-authentication?) | |
256 | (public-key-authentication? | |
257 | public-key-authentication?) | |
258 | (initialize? initialize?)))) | |
f33e2d78 | 259 | |
71b0601a | 260 | \f |
86d8f6d3 JL |
261 | ;;; |
262 | ;;; OpenSSH. | |
263 | ;;; | |
264 | ||
265 | (define-record-type* <openssh-configuration> | |
266 | openssh-configuration make-openssh-configuration | |
267 | openssh-configuration? | |
4ca3e9b7 CL |
268 | ;; <package> |
269 | (openssh openssh-configuration-openssh | |
23f22ba8 | 270 | (default openssh)) |
4ca3e9b7 | 271 | ;; string |
d8f31281 LC |
272 | (pid-file openssh-configuration-pid-file |
273 | (default "/var/run/sshd.pid")) | |
4ca3e9b7 CL |
274 | ;; integer |
275 | (port-number openssh-configuration-port-number | |
d8f31281 | 276 | (default 22)) |
4ca3e9b7 CL |
277 | ;; Boolean | 'without-password |
278 | (permit-root-login openssh-configuration-permit-root-login | |
d8f31281 | 279 | (default #f)) |
4ca3e9b7 CL |
280 | ;; Boolean |
281 | (allow-empty-passwords? openssh-configuration-allow-empty-passwords? | |
d8f31281 | 282 | (default #f)) |
4ca3e9b7 CL |
283 | ;; Boolean |
284 | (password-authentication? openssh-configuration-password-authentication? | |
d8f31281 | 285 | (default #t)) |
4ca3e9b7 | 286 | ;; Boolean |
d8f31281 | 287 | (public-key-authentication? openssh-configuration-public-key-authentication? |
4ca3e9b7 CL |
288 | (default #t)) |
289 | ;; Boolean | |
290 | (x11-forwarding? openssh-configuration-x11-forwarding? | |
d8f31281 | 291 | (default #f)) |
4ca3e9b7 | 292 | ;; Boolean |
563c5d42 | 293 | (challenge-response-authentication? openssh-challenge-response-authentication? |
4ca3e9b7 CL |
294 | (default #f)) |
295 | ;; Boolean | |
563c5d42 | 296 | (use-pam? openssh-configuration-use-pam? |
4ca3e9b7 CL |
297 | (default #t)) |
298 | ;; Boolean | |
f895dce4 | 299 | (print-last-log? openssh-configuration-print-last-log? |
12723370 CL |
300 | (default #t)) |
301 | ;; list of two-element lists | |
302 | (subsystems openssh-configuration-subsystems | |
4892eb7c LC |
303 | (default '(("sftp" "internal-sftp")))) |
304 | ||
305 | ;; list of user-name/file-like tuples | |
306 | (authorized-keys openssh-authorized-keys | |
aab322d9 LC |
307 | (default '())) |
308 | ||
309 | ;; Boolean | |
310 | ;; XXX: This should really be handled in an orthogonal way, for instance as | |
311 | ;; proposed in <https://bugs.gnu.org/27155>. Keep it internal/undocumented | |
312 | ;; for now. | |
313 | (%auto-start? openssh-auto-start? | |
314 | (default #t))) | |
86d8f6d3 JL |
315 | |
316 | (define %openssh-accounts | |
317 | (list (user-group (name "sshd") (system? #t)) | |
318 | (user-account | |
319 | (name "sshd") | |
320 | (group "sshd") | |
321 | (system? #t) | |
322 | (comment "sshd privilege separation user") | |
323 | (home-directory "/var/run/sshd") | |
324 | (shell #~(string-append #$shadow "/sbin/nologin"))))) | |
325 | ||
326 | (define (openssh-activation config) | |
327 | "Return the activation GEXP for CONFIG." | |
4892eb7c LC |
328 | (with-imported-modules '((guix build utils)) |
329 | #~(begin | |
330 | (use-modules (guix build utils)) | |
331 | ||
332 | (define (touch file-name) | |
333 | (call-with-output-file file-name (const #t))) | |
334 | ||
335 | ;; Make sure /etc/ssh can be read by the 'sshd' user. | |
336 | (mkdir-p "/etc/ssh") | |
337 | (chmod "/etc/ssh" #o755) | |
338 | (mkdir-p (dirname #$(openssh-configuration-pid-file config))) | |
339 | ||
340 | ;; 'sshd' complains if the authorized-key directory and its parents | |
341 | ;; are group-writable, which rules out /gnu/store. Thus we copy the | |
342 | ;; authorized-key directory to /etc. | |
343 | (catch 'system-error | |
344 | (lambda () | |
345 | (delete-file-recursively "/etc/authorized_keys.d")) | |
346 | (lambda args | |
347 | (unless (= ENOENT (system-error-errno args)) | |
348 | (apply throw args)))) | |
349 | (copy-recursively #$(authorized-key-directory | |
350 | (openssh-authorized-keys config)) | |
351 | "/etc/ssh/authorized_keys.d") | |
352 | ||
353 | (chmod "/etc/ssh/authorized_keys.d" #o555) | |
354 | ||
355 | (let ((lastlog "/var/log/lastlog")) | |
356 | (when #$(openssh-configuration-print-last-log? config) | |
357 | (unless (file-exists? lastlog) | |
358 | (touch lastlog)))) | |
359 | ||
360 | ;; Generate missing host keys. | |
361 | (system* (string-append #$(openssh-configuration-openssh config) | |
362 | "/bin/ssh-keygen") "-A")))) | |
363 | ||
364 | (define (authorized-key-directory keys) | |
365 | "Return a directory containing the authorized keys specified in KEYS, a list | |
366 | of user-name/file-like tuples." | |
367 | (define build | |
368 | (with-imported-modules (source-module-closure '((guix build utils))) | |
369 | #~(begin | |
370 | (use-modules (ice-9 match) (srfi srfi-26) | |
371 | (guix build utils)) | |
372 | ||
373 | (mkdir #$output) | |
374 | (for-each (match-lambda | |
375 | ((user keys ...) | |
376 | (let ((file (string-append #$output "/" user))) | |
377 | (call-with-output-file file | |
378 | (lambda (port) | |
379 | (for-each (lambda (key) | |
380 | (call-with-input-file key | |
381 | (cut dump-port <> port))) | |
382 | keys)))))) | |
383 | '#$keys)))) | |
384 | ||
385 | (computed-file "openssh-authorized-keys" build)) | |
86d8f6d3 JL |
386 | |
387 | (define (openssh-config-file config) | |
388 | "Return the sshd configuration file corresponding to CONFIG." | |
389 | (computed-file | |
390 | "sshd_config" | |
12723370 CL |
391 | #~(begin |
392 | (use-modules (ice-9 match)) | |
393 | (call-with-output-file #$output | |
394 | (lambda (port) | |
395 | (display "# Generated by 'openssh-service'.\n" port) | |
396 | (format port "Port ~a\n" | |
397 | #$(number->string | |
398 | (openssh-configuration-port-number config))) | |
399 | (format port "PermitRootLogin ~a\n" | |
400 | #$(match (openssh-configuration-permit-root-login config) | |
401 | (#t "yes") | |
402 | (#f "no") | |
403 | ('without-password "without-password"))) | |
404 | (format port "PermitEmptyPasswords ~a\n" | |
405 | #$(if (openssh-configuration-allow-empty-passwords? config) | |
406 | "yes" "no")) | |
407 | (format port "PasswordAuthentication ~a\n" | |
408 | #$(if (openssh-configuration-password-authentication? config) | |
409 | "yes" "no")) | |
410 | (format port "PubkeyAuthentication ~a\n" | |
411 | #$(if (openssh-configuration-public-key-authentication? | |
412 | config) | |
413 | "yes" "no")) | |
414 | (format port "X11Forwarding ~a\n" | |
415 | #$(if (openssh-configuration-x11-forwarding? config) | |
416 | "yes" "no")) | |
417 | (format port "PidFile ~a\n" | |
418 | #$(openssh-configuration-pid-file config)) | |
419 | (format port "ChallengeResponseAuthentication ~a\n" | |
420 | #$(if (openssh-challenge-response-authentication? config) | |
421 | "yes" "no")) | |
422 | (format port "UsePAM ~a\n" | |
423 | #$(if (openssh-configuration-use-pam? config) | |
424 | "yes" "no")) | |
425 | (format port "PrintLastLog ~a\n" | |
426 | #$(if (openssh-configuration-print-last-log? config) | |
427 | "yes" "no")) | |
4892eb7c LC |
428 | |
429 | ;; Add '/etc/authorized_keys.d/%u', which we populate. | |
430 | (format port "AuthorizedKeysFile \ | |
431 | .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u\n") | |
432 | ||
12723370 CL |
433 | (for-each |
434 | (match-lambda | |
435 | ((name command) (format port "Subsystem\t~a\t~a\n" name command))) | |
436 | '#$(openssh-configuration-subsystems config)) | |
437 | #t))))) | |
86d8f6d3 JL |
438 | |
439 | (define (openssh-shepherd-service config) | |
440 | "Return a <shepherd-service> for openssh with CONFIG." | |
441 | ||
442 | (define pid-file | |
443 | (openssh-configuration-pid-file config)) | |
444 | ||
445 | (define openssh-command | |
23f22ba8 | 446 | #~(list (string-append #$(openssh-configuration-openssh config) "/sbin/sshd") |
86d8f6d3 JL |
447 | "-D" "-f" #$(openssh-config-file config))) |
448 | ||
449 | (list (shepherd-service | |
450 | (documentation "OpenSSH server.") | |
07bf68ed | 451 | (requirement '(syslogd)) |
86d8f6d3 JL |
452 | (provision '(ssh-daemon)) |
453 | (start #~(make-forkexec-constructor #$openssh-command | |
454 | #:pid-file #$pid-file)) | |
aab322d9 LC |
455 | (stop #~(make-kill-destructor)) |
456 | (auto-start? (openssh-auto-start? config))))) | |
86d8f6d3 | 457 | |
563c5d42 CL |
458 | (define (openssh-pam-services config) |
459 | "Return a list of <pam-services> for sshd with CONFIG." | |
460 | (list (unix-pam-service | |
461 | "sshd" | |
462 | #:allow-empty-passwords? | |
463 | (openssh-configuration-allow-empty-passwords? config)))) | |
464 | ||
1398a438 LC |
465 | (define (extend-openssh-authorized-keys config keys) |
466 | "Extend CONFIG with the extra authorized keys listed in KEYS." | |
467 | (openssh-configuration | |
468 | (inherit config) | |
469 | (authorized-keys | |
470 | (append (openssh-authorized-keys config) keys)))) | |
471 | ||
86d8f6d3 JL |
472 | (define openssh-service-type |
473 | (service-type (name 'openssh) | |
21b71b01 LC |
474 | (description |
475 | "Run the OpenSSH secure shell (SSH) server, @command{sshd}.") | |
86d8f6d3 JL |
476 | (extensions |
477 | (list (service-extension shepherd-root-service-type | |
478 | openssh-shepherd-service) | |
563c5d42 CL |
479 | (service-extension pam-root-service-type |
480 | openssh-pam-services) | |
86d8f6d3 JL |
481 | (service-extension activation-service-type |
482 | openssh-activation) | |
483 | (service-extension account-service-type | |
3d3c5650 | 484 | (const %openssh-accounts)))) |
1398a438 LC |
485 | (compose concatenate) |
486 | (extend extend-openssh-authorized-keys) | |
3d3c5650 | 487 | (default-value (openssh-configuration)))) |
86d8f6d3 | 488 | |
86d8f6d3 | 489 | \f |
71b0601a DC |
490 | ;;; |
491 | ;;; Dropbear. | |
492 | ;;; | |
493 | ||
494 | (define-record-type* <dropbear-configuration> | |
495 | dropbear-configuration make-dropbear-configuration | |
496 | dropbear-configuration? | |
497 | (dropbear dropbear-configuration-dropbear | |
498 | (default dropbear)) | |
499 | (port-number dropbear-configuration-port-number | |
500 | (default 22)) | |
501 | (syslog-output? dropbear-configuration-syslog-output? | |
502 | (default #t)) | |
503 | (pid-file dropbear-configuration-pid-file | |
504 | (default "/var/run/dropbear.pid")) | |
505 | (root-login? dropbear-configuration-root-login? | |
506 | (default #f)) | |
507 | (allow-empty-passwords? dropbear-configuration-allow-empty-passwords? | |
508 | (default #f)) | |
509 | (password-authentication? dropbear-configuration-password-authentication? | |
510 | (default #t))) | |
511 | ||
512 | (define (dropbear-activation config) | |
513 | "Return the activation gexp for CONFIG." | |
514 | #~(begin | |
e57bd0be | 515 | (use-modules (guix build utils)) |
71b0601a DC |
516 | (mkdir-p "/etc/dropbear"))) |
517 | ||
518 | (define (dropbear-shepherd-service config) | |
519 | "Return a <shepherd-service> for dropbear with CONFIG." | |
520 | (define dropbear | |
521 | (dropbear-configuration-dropbear config)) | |
522 | ||
523 | (define pid-file | |
524 | (dropbear-configuration-pid-file config)) | |
525 | ||
526 | (define dropbear-command | |
527 | #~(list (string-append #$dropbear "/sbin/dropbear") | |
528 | ||
529 | ;; '-R' allows host keys to be automatically generated upon first | |
530 | ;; connection, at a time when /dev/urandom is more likely securely | |
531 | ;; seeded. | |
532 | "-F" "-R" | |
533 | ||
534 | "-p" #$(number->string (dropbear-configuration-port-number config)) | |
535 | "-P" #$pid-file | |
536 | #$@(if (dropbear-configuration-syslog-output? config) '() '("-E")) | |
537 | #$@(if (dropbear-configuration-root-login? config) '() '("-w")) | |
538 | #$@(if (dropbear-configuration-password-authentication? config) | |
539 | '() | |
540 | '("-s" "-g")) | |
541 | #$@(if (dropbear-configuration-allow-empty-passwords? config) | |
542 | '("-B") | |
543 | '()))) | |
544 | ||
545 | (define requires | |
546 | (if (dropbear-configuration-syslog-output? config) | |
547 | '(networking syslogd) '(networking))) | |
548 | ||
549 | (list (shepherd-service | |
550 | (documentation "Dropbear SSH server.") | |
551 | (requirement requires) | |
552 | (provision '(ssh-daemon)) | |
553 | (start #~(make-forkexec-constructor #$dropbear-command | |
554 | #:pid-file #$pid-file)) | |
555 | (stop #~(make-kill-destructor))))) | |
556 | ||
557 | (define dropbear-service-type | |
558 | (service-type (name 'dropbear) | |
21b71b01 LC |
559 | (description |
560 | "Run the Dropbear secure shell (SSH) server.") | |
71b0601a DC |
561 | (extensions |
562 | (list (service-extension shepherd-root-service-type | |
563 | dropbear-shepherd-service) | |
564 | (service-extension activation-service-type | |
565 | dropbear-activation))))) | |
566 | ||
567 | (define* (dropbear-service #:optional (config (dropbear-configuration))) | |
568 | "Run the @uref{https://matt.ucc.asn.au/dropbear/dropbear.html,Dropbear SSH | |
569 | daemon} with the given @var{config}, a @code{<dropbear-configuration>} | |
570 | object." | |
571 | (service dropbear-service-type config)) | |
572 | ||
f33e2d78 | 573 | ;;; ssh.scm ends here |