From 159dcc337ad896573d8c1fa49024d956fb0929f2 Mon Sep 17 00:00:00 2001
From: Tomas Volf <~@wolfsden.cz>
Date: Sun, 5 Oct 2025 19:13:56 +0200
Subject: [PATCH] ssh: Do not default to port 22 (let guile-ssh do it).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes <https://issues.guix.gnu.org/74832>.

After update to guile-ssh 0.18.0, options passed to the `make-session'
procedure now take precedence over the configuration file.  In few places we
however had code like `(or port 22)' leading to (in absence of alternative
port being specified) always using port 22, ignoring the configuration file.

Due to that for example following command fails:

    guix copy hello --to=name

Name is reachable, but ssh server listens on port 2222.  That is correctly
configured in ~/.ssh/config, and the invocation used to succeed until the
upgrade.  However now it tries to connect to port 22 (since port was not
specified).  While setting the port on the command line *is* possible, it is
not exactly ergonomic.

Since guile-ssh (well, libssh) defaults to 22 if not told otherwise, we can
just always pass the port, and #f will use the port from ~/.ssh/config or, iff
none is set, 22.

I went through the repository and adjusted all places where it seemed
appropriate.  In particular, these places were left alone:

gnu/machine/digital-ocean.scm: The droplet is created with root user and the
expected key, so forcing them to those values seems correct.

gnu/machine/ssh.scm: For deployments reproducibility is favored over
convenience, and user can pass #f to explicitly request using value the
~/.ssh/config.

* guix/scripts/copy.scm (send-to-remote-host): Always pass the port to
open-ssh-session.
(retrieve-from-remote-host): Same.
* guix/scripts/offload.scm (open-ssh-session): Pass #f as #:config.  Skips
reading the configuration file and is nicer.
* guix/ssh.scm (open-ssh-session): Drop explicit parsing of the configuration
since it is parsed by default.  Report actual port used in the error message.
* guix/store/ssh.scm (connect-to-daemon): Always pass the port part of the
uri, even when #f.

Change-Id: I5fdf20f36509a9a0ef138ce72c7198f688eea494
Reported-by: Dariqq <dariqq@posteo.net>
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
---
 guix/scripts/copy.scm    | 5 ++---
 guix/scripts/offload.scm | 2 +-
 guix/ssh.scm             | 8 +++-----
 guix/store/ssh.scm       | 2 +-
 4 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/guix/scripts/copy.scm b/guix/scripts/copy.scm
index 67975ac1a9b..116583590f1 100644
--- a/guix/scripts/copy.scm
+++ b/guix/scripts/copy.scm
@@ -75,8 +75,7 @@ package names, build the underlying packages before sending them."
                 (options->derivations+files local opts)))
     (warn-if-empty items)
     (and (build-derivations local drv)
-         (let* ((session (open-ssh-session host #:user user
-                                           #:port (or port 22)))
+         (let* ((session (open-ssh-session host #:user user #:port port))
                 (remote  (connect-to-remote-daemon session))
                 (sent    (send-files local items remote
                                      #:recursive? #t)))
@@ -89,7 +88,7 @@ package names, build the underlying packages before sending them."
   (let*-values (((user host port)
                  (ssh-spec->user+host+port source))
                 ((session)
-                 (open-ssh-session host #:user user #:port (or port 22)))
+                 (open-ssh-session host #:user user #:port port))
                 ((remote)
                  (connect-to-remote-daemon session)))
     ;; TODO: Here we could to compute and build the derivations on REMOTE
diff --git a/guix/scripts/offload.scm b/guix/scripts/offload.scm
index 56e1ab61aaa..462c3dfc0c0 100644
--- a/guix/scripts/offload.scm
+++ b/guix/scripts/offload.scm
@@ -234,7 +234,7 @@ number of seconds after which the connection times out."
                                #:knownhosts "/dev/null"
 
                                ;; Likewise for ~/.ssh/config.
-                               #:config "/dev/null"
+                               #:config #f
 
                                ;; We need lightweight compression when
                                ;; exchanging full archives.
diff --git a/guix/ssh.scm b/guix/ssh.scm
index 20a35b2712f..5b949baaa26 100644
--- a/guix/ssh.scm
+++ b/guix/ssh.scm
@@ -143,10 +143,6 @@ Throw an error on failure."
                                ;; TCP_NODELAY.
                                #:nodelay #t
                                #:stricthostkeycheck strict-host-key-check?)))
-
-    ;; Honor ~/.ssh/config.
-    (session-parse-config! session)
-
     (match (connect! session)
       ('ok
        (if host-key
@@ -187,7 +183,9 @@ to SSH server at '~a'")
       (x
        ;; Connection failed or timeout expired.
        (raise (formatted-message (G_ "SSH connection to '~a' port ~a failed: ~a~%")
-                                 host (or port 22) (get-error session)))))))
+                                 host
+                                 (session-get session 'port)
+                                 (get-error session)))))))
 
 (define* (remote-inferior session #:optional become-command)
   "Return a remote inferior for the given SESSION.  If BECOME-COMMAND is
diff --git a/guix/store/ssh.scm b/guix/store/ssh.scm
index 09c0832505b..7e6371acbca 100644
--- a/guix/store/ssh.scm
+++ b/guix/store/ssh.scm
@@ -33,7 +33,7 @@
   "Connect to the SSH daemon at URI, a URI object with the 'ssh' scheme."
   (remote-daemon-channel
    (open-ssh-session (uri-host uri)
-                     #:port (or (uri-port uri) 22)
+                     #:port (uri-port uri)
                      #:user (uri-userinfo uri))))
 
 ;;; ssh.scm ends here