Message ID | 20231211233532.63690-1-shinyzero0@tilde.club |
---|---|
State | New |
Headers | show |
Series | [bug#67789] doc: Secure Shell: Add note about sshd and wrong permissions | expand |
Hello, "zero@fedora" <shinyzero0@tilde.club> skribis: > * doc/guix.texi (Home services: Secure Shell): Add note about sshd blocking connections because of wrong permissions [...] > +@quotation Note > +Note that @command{sshd} will block any @command{ssh} connections to you if > +your files in @file{~/.ssh} have wrong permissions or ownership, as the ones > +created by this service do. To fix that, you need to set @code{StrictModes=no} > +in your @command{sshd} configuration > +@end quotation I think we’d rather fix the permissions of those files than document the bug. On my laptop permissions seem to be good: --8<---------------cut here---------------start------------->8--- $ ls -ld ~/.ssh/authorized_keys lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys $ ls -ld ~/.ssh drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/ $ ssh localhost uname Linux --8<---------------cut here---------------end--------------->8--- Maybe there are cases when this is not the case, maybe when ~/.ssh does not exist prior to running ‘guix home reconfigure’? Thanks, Ludo’.
On Thu Dec 14, 2023 at 4:43 PM MSK, Ludovic Courtès wrote: > On my laptop permissions seem to be good: > > --8<---------------cut here---------------start------------->8--- > $ ls -ld ~/.ssh/authorized_keys > lrwxrwxrwx 1 ludo users 59 Dec 10 23:36 /home/ludo/.ssh/authorized_keys -> /gnu/store/k79g5iaaa7gij52nrbhjz6fqq7banzdz-authorized_keys > $ ls -ld ~/.ssh > drwx------ 3 ludo users 4096 Dec 10 23:36 /home/ludo/.ssh/ > $ ssh localhost uname > Linux > --8<---------------cut here---------------end--------------->8--- > > Maybe there are cases when this is not the case, maybe when ~/.ssh does > not exist prior to running ‘guix home reconfigure’? > > Thanks, > Ludo’. I'm using guix on foreign (Fedora) distro, obviously i had ~/.ssh directory with right permissions before replacing it with guix-generated one. Maybe it's vice versa: the permissions are wrong when the ~/.ssh is being replaced? Honestly, i thought it's unfixable, like, can we change the permissions of a symlink? Oh, and i checked my permissions, and they are the same. Maybe the problem is in somewhere within my sshd? Thanks, Paul.
diff --git a/doc/guix.texi b/doc/guix.texi index 7dde9b727b..832fed3b97 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -44306,6 +44306,13 @@ predictable fashion, almost independently of state on the local machine. To do that, you instantiate @code{home-openssh-service-type} in your Home configuration, as explained below. +@quotation Note +Note that @command{sshd} will block any @command{ssh} connections to you if +your files in @file{~/.ssh} have wrong permissions or ownership, as the ones +created by this service do. To fix that, you need to set @code{StrictModes=no} +in your @command{sshd} configuration +@end quotation + @defvar home-openssh-service-type This is the type of the service to set up the OpenSSH client. It takes care of several things: