From e1a3b41a4ba0d438559af5a8bbecd6383b226396 Mon Sep 17 00:00:00 2001
From: Andreas Enge <andreas@enge.fr>
Date: Tue, 18 Nov 2025 17:23:45 +0100
Subject: [PATCH] gnu: Remove lsh-service-type.

* gnu/services/ssh.scm (<lsh-configuration>, %yarrow-seed,
lsh-initialization, lsh-activation, lsh-shepherd-service,
lsh-pam-services, lsh-service-type): Delete variables.
* doc/guix.texi: Remove lsh-service-type documentation.

Change-Id: I18377a111c10ec6f6d362fadabc64cb66a2b122d
---
 doc/guix.texi        |  83 +--------------------
 gnu/services/ssh.scm | 173 +------------------------------------------
 2 files changed, 2 insertions(+), 254 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 7bba256b838..4823197470a 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1284,16 +1284,6 @@ If the machine is running the OpenSSH daemon, @command{sshd}, the host
 key can be found in a file such as
 @file{/etc/ssh/ssh_host_ed25519_key.pub}.
 
-If the machine is running the SSH daemon of GNU@tie{}lsh,
-@command{lshd}, the host key is in @file{/etc/lsh/host-key.pub} or a
-similar file.  It can be converted to the OpenSSH format using
-@command{lsh-export-key} (@pxref{Converting keys,,, lsh, LSH Manual}):
-
-@example
-$ lsh-export-key --openssh < /etc/lsh/host-key.pub
-ssh-rsa AAAAB3NzaC1yc2EAAAAEOp8FoQAAAQEAs1eB46LV@dots{}
-@end example
-
 @end table
 
 A number of optional fields may be specified:
@@ -23972,75 +23962,6 @@ Here is a more complex example configuration for illustrative purposes:
 
 
 Furthermore, @code{(gnu services ssh)} provides the following services.
-@cindex SSH
-@cindex SSH server
-
-@defvar lsh-service-type
-Type of the service that runs the GNU@tie{}lsh secure shell (SSH)
-daemon, @command{lshd}.  The value for this service is a
-@code{<lsh-configuration>} object.
-@end defvar
-
-@deftp {Data Type} lsh-configuration
-Data type representing the configuration of @command{lshd}.
-
-@table @asis
-@item @code{lsh} (default: @code{lsh}) (type: file-like)
-The package object of the GNU@tie{}lsh secure shell (SSH) daemon.
-
-@item @code{daemonic?} (default: @code{#t}) (type: boolean)
-Whether to detach from the controlling terminal.
-
-@item @code{host-key} (default: @code{"/etc/lsh/host-key"}) (type: string)
-File containing the @dfn{host key}.  This file must be readable by
-root only.
-
-@item @code{interfaces} (default: @code{'()}) (type: list)
-List of host names or addresses that @command{lshd} will listen on.
-If empty, @command{lshd} listens for connections on all the network
-interfaces.
-
-@item @code{port-number} (default: @code{22}) (type: integer)
-Port to listen on.
-
-@item @code{allow-empty-passwords?} (default: @code{#f}) (type: boolean)
-Whether to accept log-ins with empty passwords.
-
-@item @code{root-login?} (default: @code{#f}) (type: boolean)
-Whether to accept log-ins as root.
-
-@item @code{syslog-output?} (default: @code{#t}) (type: boolean)
-Whether to log @command{lshd} standard output to syslogd.
-This will make the service depend on the existence of a syslogd service.
-
-@item @code{pid-file?} (default: @code{#f}) (type: boolean)
-When @code{#t}, @command{lshd} writes its PID to the file specified in
-@var{pid-file}.
-
-@item @code{pid-file} (default: @code{"/var/run/lshd.pid"}) (type: string)
-File that @command{lshd} will write its PID to.
-
-@item @code{x11-forwarding?} (default: @code{#t}) (type: boolean)
-Whether to enable X11 forwarding.
-
-@item @code{tcp/ip-forwarding?} (default: @code{#t}) (type: boolean)
-Whether to enable TCP/IP forwarding.
-
-@item @code{password-authentication?} (default: @code{#t}) (type: boolean)
-Whether to accept log-ins using password authentication.
-
-@item @code{public-key-authentication?} (default: @code{#t}) (type: boolean)
-Whether to accept log-ins using public key authentication.
-
-@item @code{initialize?} (default: @code{#t}) (type: boolean)
-When @code{#f}, it is up to the user to initialize the randomness
-generator (@pxref{lsh-make-seed,,, lsh, LSH Manual}), and to create
-a key pair with the private key stored in file @var{host-key}
-(@pxref{lshd basics,,, lsh, LSH Manual}).
-
-@end table
-@end deftp
-
 @cindex SSH
 @cindex SSH server
 @defvar openssh-service-type
@@ -48723,9 +48644,7 @@ particular operating system definition.
 @cindex service types
 Technically, developers can define @dfn{service types} to express these
 relations.  There can be any number of services of a given type on the
-system---for instance, a system running two instances of the GNU secure
-shell server (lsh) has two instances of @code{lsh-service-type}, with
-different parameters.
+system, for instance when running two instances with different parameters.
 
 The following section describes the programming interface for service
 types and services.
diff --git a/gnu/services/ssh.scm b/gnu/services/ssh.scm
index aac6c1e3539..77359501e4c 100644
--- a/gnu/services/ssh.scm
+++ b/gnu/services/ssh.scm
@@ -40,11 +40,7 @@
   #:use-module (srfi srfi-26)
   #:use-module (ice-9 match)
   #:use-module (ice-9 vlist)
-  #:export (lsh-configuration
-            lsh-configuration?
-            lsh-service-type
-
-            openssh-configuration
+  #:export (openssh-configuration
             openssh-configuration?
             openssh-configuration-openssh
             openssh-configuration-pid-file
@@ -87,173 +83,6 @@
 ;;;
 ;;; This module implements secure shell (SSH) services.
 ;;;
-;;; Code:
-
-(define-record-type* <lsh-configuration>
-  lsh-configuration make-lsh-configuration
-  lsh-configuration?
-  (lsh lsh-configuration-lsh
-       (default lsh))
-  (daemonic? lsh-configuration-daemonic?
-             (default #t))
-  (host-key lsh-configuration-host-key
-            (default "/etc/lsh/host-key"))
-  (interfaces lsh-configuration-interfaces
-              (default '()))
-  (port-number lsh-configuration-port-number
-               (default 22))
-  (allow-empty-passwords? lsh-configuration-allow-empty-passwords?
-                          (default #f))
-  (root-login? lsh-configuration-root-login?
-               (default #f))
-  (syslog-output? lsh-configuration-syslog-output?
-                  (default #t))
-  (pid-file? lsh-configuration-pid-file?
-             (default #f))
-  (pid-file lsh-configuration-pid-file
-            (default "/var/run/lshd.pid"))
-  (x11-forwarding? lsh-configuration-x11-forwarding?
-                   (default #t))
-  (tcp/ip-forwarding? lsh-configuration-tcp/ip-forwarding?
-                      (default #t))
-  (password-authentication? lsh-configuration-password-authentication?
-                            (default #t))
-  (public-key-authentication? lsh-configuration-public-key-authentication?
-                              (default #t))
-  (initialize? lsh-configuration-initialize?
-               (default #t)))
-
-(define %yarrow-seed
-  "/var/spool/lsh/yarrow-seed-file")
-
-(define (lsh-initialization lsh host-key)
-  "Return the gexp to initialize the LSH service for HOST-KEY."
-  #~(begin
-      (unless (file-exists? #$%yarrow-seed)
-        (system* (string-append #$lsh "/bin/lsh-make-seed")
-                 "--sloppy" "-o" #$%yarrow-seed))
-
-      (unless (file-exists? #$host-key)
-        (mkdir-p (dirname #$host-key))
-        (format #t "creating SSH host key '~a'...~%" #$host-key)
-
-        ;; FIXME: We're just doing a simple pipeline, but 'system' cannot be
-        ;; used yet because /bin/sh might be dangling; factorize this somehow.
-        (let* ((in+out (pipe))
-               (keygen (primitive-fork)))
-          (case keygen
-            ((0)
-             (close-port (car in+out))
-             (close-fdes 1)
-             (dup2 (fileno (cdr in+out)) 1)
-             (execl (string-append #$lsh "/bin/lsh-keygen")
-                    "lsh-keygen" "--server"))
-            (else
-             (let ((write-key (primitive-fork)))
-               (case write-key
-                 ((0)
-                  (close-port (cdr in+out))
-                  (close-fdes 0)
-                  (dup2 (fileno (car in+out)) 0)
-                  (execl (string-append #$lsh "/bin/lsh-writekey")
-                         "lsh-writekey" "--server" "-o" #$host-key))
-                 (else
-                  (close-port (car in+out))
-                  (close-port (cdr in+out))
-                  (waitpid keygen)
-                  (waitpid write-key))))))))))
-
-(define (lsh-activation config)
-  "Return the activation gexp for CONFIG."
-  #~(begin
-      (use-modules (guix build utils))
-      (mkdir-p "/var/spool/lsh")
-      #$(if (lsh-configuration-initialize? config)
-            (lsh-initialization (lsh-configuration-lsh config)
-                                (lsh-configuration-host-key config))
-            #t)))
-
-(define (lsh-shepherd-service config)
-  "Return a <shepherd-service> for lsh with CONFIG."
-  (define lsh (lsh-configuration-lsh config))
-  (define pid-file (lsh-configuration-pid-file config))
-  (define pid-file? (lsh-configuration-pid-file? config))
-  (define daemonic? (lsh-configuration-daemonic? config))
-  (define interfaces (lsh-configuration-interfaces config))
-
-  (define lsh-command
-    (append
-     (cons (file-append lsh "/sbin/lshd")
-           (if daemonic?
-               (let ((syslog (if (lsh-configuration-syslog-output? config)
-                                 '()
-                                 (list "--no-syslog"))))
-                 (cons "--daemonic"
-                       (if pid-file?
-                           (cons #~(string-append "--pid-file=" #$pid-file)
-                                 syslog)
-                           (cons "--no-pid-file" syslog))))
-               (if pid-file?
-                   (list #~(string-append "--pid-file=" #$pid-file))
-                   '())))
-     (cons* #~(string-append "--host-key="
-                             #$(lsh-configuration-host-key config))
-            #~(string-append "--password-helper=" #$lsh "/sbin/lsh-pam-checkpw")
-            #~(string-append "--subsystems=sftp=" #$lsh "/sbin/sftp-server")
-            "-p" (number->string (lsh-configuration-port-number config))
-            (if (lsh-configuration-password-authentication? config)
-                "--password" "--no-password")
-            (if (lsh-configuration-public-key-authentication? config)
-                "--publickey" "--no-publickey")
-            (if (lsh-configuration-root-login? config)
-                "--root-login" "--no-root-login")
-            (if (lsh-configuration-x11-forwarding? config)
-                "--x11-forward" "--no-x11-forward")
-            (if (lsh-configuration-tcp/ip-forwarding? config)
-                "--tcpip-forward" "--no-tcpip-forward")
-            (if (null? interfaces)
-                '()
-                (map (cut string-append "--interface=" <>)
-                     interfaces)))))
-
-  (define requires
-    `(user-processes
-      networking
-      pam
-      ,@(if (and daemonic? (lsh-configuration-syslog-output? config))
-            '(syslogd)
-            '())))
-
-  (list (shepherd-service
-         (documentation "GNU lsh SSH server")
-         (provision '(ssh-daemon ssh sshd))
-         (requirement requires)
-         (start #~(make-forkexec-constructor (list #$@lsh-command)))
-         (stop  #~(make-kill-destructor)))))
-
-(define (lsh-pam-services config)
-  "Return a list of <pam-services> for lshd with CONFIG."
-  (list (unix-pam-service
-         "lshd"
-         #:login-uid? #t
-         #:allow-empty-passwords?
-         (lsh-configuration-allow-empty-passwords? config))))
-
-(define lsh-service-type
-  (service-type
-   (name 'lsh)
-   (extensions
-    (list (service-extension shepherd-root-service-type
-                             lsh-shepherd-service)
-          (service-extension pam-root-service-type
-                             lsh-pam-services)
-          (service-extension activation-service-type
-                             lsh-activation)))
-   (description "Run the GNU@tie{}lsh secure shell (SSH) daemon,
-@command{lshd}.")
-   (default-value (lsh-configuration))))
-
-;;;
 ;;; OpenSSH.
 ;;;