diff options
| author | Wael M. Nasreddine <wael@keeptruckin.com> | 2020-04-05 19:48:56 -0700 |
|---|---|---|
| committer | Wael M. Nasreddine <wael.nasreddine@gmail.com> | 2023-09-15 08:24:20 -0700 |
| commit | e58bcb921bfd6e90b3e2d11a03ba32918a1cfad4 (patch) | |
| tree | cd806c71e730299940fd13e8e12dcb55307d0340 | |
| parent | 4496ab26628c5f43d2a5c577a06683c753e32fe2 (diff) | |
programs.ssh: write ssh known_hosts only if there are any set
| -rw-r--r-- | modules/programs/ssh/default.nix | 13 | ||||
| -rw-r--r-- | release.nix | 1 | ||||
| -rw-r--r-- | tests/programs-ssh-empty-known-hosts.nix | 11 |
3 files changed, 19 insertions, 6 deletions
diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index 87978e6..5fc7415 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -151,12 +151,13 @@ in services.openssh.authorizedKeysFiles = [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; environment.etc = authKeysFiles // - { "ssh/ssh_known_hosts".text = (flip (concatMapStringsSep "\n") knownHosts - (h: assert h.hostNames != []; - concatStringsSep "," h.hostNames + " " - + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) - )) + "\n"; - + { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) { + text = (flip (concatMapStringsSep "\n") knownHosts + (h: assert h.hostNames != []; + concatStringsSep "," h.hostNames + " " + + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) + )) + "\n"; + }; "ssh/sshd_config.d/101-authorized-keys.conf" = { text = "AuthorizedKeysFile ${toString config.services.openssh.authorizedKeysFiles}\n"; # Allows us to automatically migrate from using a file to a symlink diff --git a/release.nix b/release.nix index d2edd8a..ffdfc38 100644 --- a/release.nix +++ b/release.nix @@ -114,6 +114,7 @@ let tests.programs-ssh = makeTest ./tests/programs-ssh.nix; tests.programs-tmux = makeTest ./tests/programs-tmux.nix; tests.programs-zsh = makeTest ./tests/programs-zsh.nix; + tests.programs-ssh-empty-known-hosts = makeTest ./tests/programs-ssh-empty-known-hosts.nix; tests.security-pki = makeTest ./tests/security-pki.nix; tests.services-activate-system = makeTest ./tests/services-activate-system.nix; tests.services-activate-system-changed-label-prefix = makeTest ./tests/services-activate-system-changed-label-prefix.nix; diff --git a/tests/programs-ssh-empty-known-hosts.nix b/tests/programs-ssh-empty-known-hosts.nix new file mode 100644 index 0000000..c6bbf35 --- /dev/null +++ b/tests/programs-ssh-empty-known-hosts.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +{ + test = '' + echo >&2 "checking existance of /etc/ssh/ssh_known_hosts" + if test -e ${config.out}/etc/ssh/ssh_known_hosts; then + echo >&2 "/etc/ssh/ssh_known_hosts exists but it shouldn't!" + exit 1 + fi + ''; +} |