From 8dc57904e385b9219f548601afc6dc9b26dadd68 Mon Sep 17 00:00:00 2001 From: Clombrong Date: Thu, 2 Oct 2025 01:51:08 +0200 Subject: [PATCH] services: Add endlessh-service-type. * docs/guix.texi: Document EndleSSH service and configuration. * gnu/services/ssh.scm: New service. * gnu/services/ssh.scm: Define shepherd service. Merges: https://codeberg.org/guix/guix/pulls/5910 Co-Authored-By: Giacomo Leidi Change-Id: Ief4520b536276b88f2e5027ef0897bf84b2835df Signed-off-by: Giacomo Leidi --- doc/guix.texi | 52 +++++++++++++++++++++++++++++++ gnu/services/ssh.scm | 73 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 436ae58878..0d57b516ba 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -24321,6 +24321,58 @@ Whether to enable password-based authentication. @end table @end deftp +@cindex EndleSSH +@defvar endlessh-service-type +This is the type for the +@uref{https://github.com/skeeto/endlessh,EndleSSH} program that runs an +SSH tar pit. By very slowly sending an SSH banner, this program keeps +unwanted visitors locked away from the actual SSH daemon. + +For example, to specify a service running Endlessh on port @code{2222}, add +this call to the operating system's @code{services} field: + +@lisp +(service endlessh-service-type + (endlessh-configuration + (port-number 2222))) +@end lisp +@end defvar + +@deftp {Data Type} endlessh-configuration +This data type represents the configuration of an EndleSSH service. + +@table @asis +@item @code{endlessh} (default: @var{endlessh}) +The EndleSSH package to use. + +@item @code{port-number} (default: @code{22}) +The TCP port where the daemon waits for incoming connections. + +@item @code{log-level} (default: @code{1}) +The log level. @code{0} is quiet, @code{2} is very noisy. + +@item @code{syslog-output?} (default: @code{#t}) +Whether to enable syslog output. + +@item @code{pid-file} (default: @code{"/var/run/endlessh.pid"}) +File name of the daemon's PID file. + +@item @code{message-delay} (default: @code{10000}) +The endless banner is sent one line at a time. This is the delay in +milliseconds between individual lines. + +@item @code{max-banner-length} (default: @code{32}) +The length of each line is randomized. This controls the maximum length +of each line. Shorter lines may keep clients on for longer if they give +up after a certain number of bytes. + +@item @code{max-clients} (default: @code{4096}) +Maximum number of connections to accept at a time. Connections beyond +this are not immediately rejected, but will wait in the queue. + +@end table +@end deftp + @cindex AutoSSH @defvar autossh-service-type This is the type for the @uref{https://www.harding.motd.ca/autossh, diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm index 77359501e4..d5c1c77800 100644 --- a/gnu/services/ssh.scm +++ b/gnu/services/ssh.scm @@ -70,6 +70,17 @@ dropbear-service-type dropbear-service ; deprecated + endlessh-configuration + endlessh-configuration? + endlessh-configuration-endlessh + endlessh-configuration-port-number + endlessh-configuration-log-level + endlessh-configuration-syslog-output? + endlessh-configuration-message-delay + endlessh-configuration-max-banner-length + endlessh-configuration-max-clients + endlessh-service-type + autossh-configuration autossh-configuration? autossh-service-type @@ -523,6 +534,68 @@ daemon} with the given @var{config}, a @code{} object." (service dropbear-service-type config)) + +;;; +;;; Endlessh. +;;; + +(define-record-type* + endlessh-configuration make-endlessh-configuration + endlessh-configuration? + (endlessh endlessh-configuration-endlessh + (default endlessh)) + (port-number endlessh-configuration-port-number + (default 22)) + (log-level endlessh-configuration-log-level + (default 1)) + (syslog-output? endlessh-configuration-syslog-output? + (default #t)) + (message-delay endlessh-configuration-message-delay + (default 10000)) + (max-banner-length endlessh-configuration-max-banner-length + (default 32)) + (max-clients endlessh-configuration-max-clients + (default 4096))) + +(define (endlessh-shepherd-service config) + "Return a for endlessh with CONFIG." + (define endlessh + (endlessh-configuration-endlessh config)) + + (define endlessh-config + (format #f "Port ~a~%Delay ~a~%MaxLineLength ~a~%MaxClients ~a~%LogLevel ~a" + (endlessh-configuration-port-number config) + (endlessh-configuration-message-delay config) + (endlessh-configuration-max-banner-length config) + (endlessh-configuration-max-clients config) + (endlessh-configuration-log-level config))) + + (define endlessh-command + #~(list (string-append #$endlessh "/bin/endlessh") + "-f" #$(plain-file "endlessh_config" endlessh-config) + #$@(if (endlessh-configuration-syslog-output? config) '("-s") '()))) + + (define requires + (if (endlessh-configuration-syslog-output? config) + '(user-processes networking syslogd) + '(user-processes networking))) + + (list (shepherd-service + (documentation "EndleSSH server.") + (requirement requires) + (provision '(endlessh)) + (start #~(make-forkexec-constructor #$endlessh-command)) + (stop #~(make-kill-destructor))))) + +(define endlessh-service-type + (service-type (name 'endlessh) + (description + "Run the EndleSSH secure shell (SSH) tarpit.") + (extensions + (list (service-extension shepherd-root-service-type + endlessh-shepherd-service))) + (default-value (endlessh-configuration)))) + ;;; ;;; AutoSSH.