summaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2023-09-21 18:01:17 +0200
committerLudovic Courtès <ludo@gnu.org>2023-10-01 22:58:20 +0200
commitc3a19cc2ac7ddc821d7fc56455f68546b087be47 (patch)
treea8819cf08890f814689364afe3a6140e01de3fbd /gnu
parent100d71f8a144fd58fc20b7ffa942b550118db526 (diff)
services: hurd-vm: Disable password-based authentication for root.
With offloading to a childhurd is enabled, allowing password-less root login in the childhurd to anyone amounts to providing write access to the host’s store to anyone. Thus, disable password-based root logins in the childhurd. * gnu/services/virtualization.scm (%hurd-vm-operating-system): Change ‘permit-root-login’ to 'prohibit-password. * gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’ field for ‘hurd-vm-configuration’. * doc/guix.texi (Virtualization Services): Remove mention of password-less root login.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/services/virtualization.scm2
-rw-r--r--gnu/tests/virtualization.scm15
2 files changed, 15 insertions, 2 deletions
diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 258b503461..930c2ce702 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -1080,7 +1080,7 @@ that will be listening to receive secret keys on port 1004, TCP."
(openssh-configuration
(openssh openssh-sans-x)
(use-pam? #f)
- (permit-root-login #t)
+ (permit-root-login 'prohibit-password)
(allow-empty-passwords? #t)
(password-authentication? #t)))
diff --git a/gnu/tests/virtualization.scm b/gnu/tests/virtualization.scm
index 9e7928703e..599e58edf0 100644
--- a/gnu/tests/virtualization.scm
+++ b/gnu/tests/virtualization.scm
@@ -31,6 +31,7 @@
#:use-module (gnu services)
#:use-module (gnu services dbus)
#:use-module (gnu services networking)
+ #:use-module (gnu services ssh)
#:use-module (gnu services virtualization)
#:use-module (gnu packages ssh)
#:use-module (gnu packages virtualization)
@@ -228,7 +229,19 @@
(define %childhurd-os
(simple-operating-system
(service dhcp-client-service-type)
- (service hurd-vm-service-type)))
+ (service hurd-vm-service-type
+ (hurd-vm-configuration
+ ;; Allow root login with an empty password to simplify the test
+ ;; below.
+ (os (operating-system
+ (inherit %hurd-vm-operating-system)
+ (services
+ (modify-services (operating-system-user-services
+ %hurd-vm-operating-system)
+ (openssh-service-type
+ config => (openssh-configuration
+ (inherit config)
+ (permit-root-login #t)))))))))))
(define (run-childhurd-test)
(define os