From c3a19cc2ac7ddc821d7fc56455f68546b087be47 Mon Sep 17 00:00:00 2001
From: Ludovic Courtès <ludo@gnu.org>
Date: Thu, 21 Sep 2023 18:01:17 +0200
Subject: services: hurd-vm: Disable password-based authentication for root.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

With offloading to a childhurd is enabled, allowing password-less root
login in the childhurd to anyone amounts to providing write access to
the host’s store to anyone.  Thus, disable password-based root logins in
the childhurd.

* gnu/services/virtualization.scm (%hurd-vm-operating-system): Change
‘permit-root-login’ to 'prohibit-password.
* gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’
field for ‘hurd-vm-configuration’.
* doc/guix.texi (Virtualization Services): Remove mention of
password-less root login.
---
 gnu/services/virtualization.scm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'gnu/services')

diff --git a/gnu/services/virtualization.scm b/gnu/services/virtualization.scm
index 258b503461..930c2ce702 100644
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@@ -1080,7 +1080,7 @@ (define %hurd-vm-operating-system
                         (openssh-configuration
                          (openssh openssh-sans-x)
                          (use-pam? #f)
-                         (permit-root-login #t)
+                         (permit-root-login 'prohibit-password)
                          (allow-empty-passwords? #t)
                          (password-authentication? #t)))
 
-- 
cgit v1.2.3