services: hurd-vm: Disable password-based authentication for root.

With offloading to a childhurd is enabled, allowing password-less root login in the childhurd to anyone amounts to providing write access to the host’s store to anyone. Thus, disable password-based root logins in the childhurd. * gnu/services/virtualization.scm (%hurd-vm-operating-system): Change ‘permit-root-login’ to 'prohibit-password. * gnu/tests/virtualization.scm (%childhurd-os): Provide a custom ‘os’ field for ‘hurd-vm-configuration’. * doc/guix.texi (Virtualization Services): Remove mention of password-less root login.
2025-10-02 02:15:12 +00:00 · 2023-09-21 18:01:17 +02:00 · 2023-09-21 18:01:17 +02:00 · c3a19cc2ac
commit c3a19cc2ac
parent 100d71f8a1
3 changed files with 15 additions and 7 deletions
--- a/gnu/tests/virtualization.scm
+++ b/gnu/tests/virtualization.scm
@ -31,6 +31,7 @@
  #:use-module (gnu services)
  #:use-module (gnu services dbus)
  #:use-module (gnu services networking)
+  #:use-module (gnu services ssh)
  #:use-module (gnu services virtualization)
  #:use-module (gnu packages ssh)
  #:use-module (gnu packages virtualization)
@ -228,7 +229,19 @@
 (define %childhurd-os
  (simple-operating-system
   (service dhcp-client-service-type)
-   (service hurd-vm-service-type)))
+   (service hurd-vm-service-type
+            (hurd-vm-configuration
+             ;; Allow root login with an empty password to simplify the test
+             ;; below.
+             (os (operating-system
+                   (inherit %hurd-vm-operating-system)
+                   (services
+                    (modify-services (operating-system-user-services
+                                      %hurd-vm-operating-system)
+                      (openssh-service-type
+                       config => (openssh-configuration
+                                  (inherit config)
+                                  (permit-root-login #t)))))))))))

 (define (run-childhurd-test)
  (define os