From def1e23be848848400d1d097d4f044e3c401f9dd Mon Sep 17 00:00:00 2001 From: Weijia Wang <9713184+wegank@users.noreply.github.com> Date: Sun, 14 Apr 2024 23:02:32 +0200 Subject: treewide: remove lib.mdDoc --- modules/programs/ssh/default.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'modules/programs/ssh/default.nix') diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index 5fc7415..d1a6770 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -14,7 +14,7 @@ let hostNames = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' A list of host names and/or IP numbers used for accessing the host's ssh service. ''; @@ -23,7 +23,7 @@ let default = null; type = types.nullOr types.str; example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; - description = lib.mdDoc '' + description = '' The public key data for the host. You can fetch a public key from a running SSH server with the {command}`ssh-keyscan` command. The public key should not include any host names, only @@ -33,7 +33,7 @@ let publicKeyFile = mkOption { default = null; type = types.nullOr types.path; - description = lib.mdDoc '' + description = '' The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server @@ -54,7 +54,7 @@ let keys = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' A list of verbatim OpenSSH public keys that should be added to the user's authorized keys. The keys are added to a file that the SSH daemon reads in addition to the the user's authorized_keys file. @@ -68,7 +68,7 @@ let keyFiles = mkOption { type = types.listOf types.path; default = []; - description = lib.mdDoc '' + description = '' A list of files each containing one OpenSSH public key that should be added to the user's authorized keys. The contents of the files are read at build time and added to a file that the SSH daemon reads in @@ -106,7 +106,7 @@ in services.openssh.authorizedKeysFiles = mkOption { type = types.listOf types.str; default = []; - description = lib.mdDoc '' + description = '' Specify the rules for which files to read on the host. This is an advanced option. If you're looking to configure user @@ -122,7 +122,7 @@ in programs.ssh.knownHosts = mkOption { default = {}; type = types.attrsOf (types.submodule host); - description = lib.mdDoc '' + description = '' The set of system-wide known SSH hosts. ''; example = literalExpression '' -- cgit v1.2.3 From b833d4a32d965e6393a63b2c91b46eca2a5030d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 16 Jul 2023 16:59:43 +0100 Subject: ssh: use symlinks for `authorizedKeys` options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As explained in the changelog and activation check, the previous implementation had a nasty security bug that made removing a user’s authorized keys effectively a no‐op. --- modules/programs/ssh/default.nix | 37 ++++++++++++++----------------------- 1 file changed, 14 insertions(+), 23 deletions(-) (limited to 'modules/programs/ssh/default.nix') diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index d1a6770..6f72369 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -3,7 +3,7 @@ with lib; let - cfg = config.programs.ssh; + cfg = config.programs.ssh; knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); @@ -81,8 +81,7 @@ let }; authKeysFiles = let - mkAuthKeyFile = u: nameValuePair "ssh/authorized_keys.d/${u.name}" { - copy = true; + mkAuthKeyFile = u: nameValuePair "ssh/nix_authorized_keys.d/${u.name}" { text = '' ${concatStringsSep "\n" u.openssh.authorizedKeys.keys} ${concatMapStrings (f: readFile f + "\n") u.openssh.authorizedKeys.keyFiles} @@ -97,28 +96,16 @@ let in { + imports = [ + (mkRemovedOptionModule [ "services" "openssh" "authorizedKeysFiles" ] "No `nix-darwin` equivalent to this NixOS option.") + ]; + options = { users.users = mkOption { type = with types; attrsOf (submodule userOptions); }; - services.openssh.authorizedKeysFiles = mkOption { - type = types.listOf types.str; - default = []; - description = '' - Specify the rules for which files to read on the host. - - This is an advanced option. If you're looking to configure user - keys, you can generally use [](#opt-users.users._name_.openssh.authorizedKeys.keys) - or [](#opt-users.users._name_.openssh.authorizedKeys.keyFiles). - - These are paths relative to the host root file system or home - directories and they are subject to certain token expansion rules. - See AuthorizedKeysFile in man sshd_config for details. - ''; - }; - programs.ssh.knownHosts = mkOption { default = {}; type = types.attrsOf (types.submodule host); @@ -148,8 +135,6 @@ in message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; }); - services.openssh.authorizedKeysFiles = [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; - environment.etc = authKeysFiles // { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) { text = (flip (concatMapStringsSep "\n") knownHosts @@ -159,14 +144,20 @@ in )) + "\n"; }; "ssh/sshd_config.d/101-authorized-keys.conf" = { - text = "AuthorizedKeysFile ${toString config.services.openssh.authorizedKeysFiles}\n"; + text = '' + # sshd doesn't like reading from symbolic links, so we cat + # the file ourselves. + AuthorizedKeysCommand /bin/cat /etc/ssh/nix_authorized_keys.d/%u + # Just a simple cat, fine to use _sshd. + AuthorizedKeysCommandUser _sshd + ''; # Allows us to automatically migrate from using a file to a symlink knownSha256Hashes = [ oldAuthorizedKeysHash ]; }; }; - # Clean up .before-nix-darwin file left over from using knownSha256Hashes system.activationScripts.etc.text = '' + # Clean up .before-nix-darwin file left over from using knownSha256Hashes auth_keys_orig=/etc/ssh/sshd_config.d/101-authorized-keys.conf.before-nix-darwin if [ -e "$auth_keys_orig" ] && [ "$(shasum -a 256 $auth_keys_orig | cut -d ' ' -f 1)" = "${oldAuthorizedKeysHash}" ]; then -- cgit v1.2.3 From cf45edbf271a638637d4f1a824c429d7649ecbd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Wed, 31 Jul 2024 19:34:17 +0200 Subject: programs.ssh: add certificate authorities --- modules/programs/ssh/default.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'modules/programs/ssh/default.nix') diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index 6f72369..51c7796 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -11,6 +11,14 @@ let { name, ... }: { options = { + certAuthority = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + This public key is an SSH certificate authority, rather than an + individual host's key. + ''; + }; hostNames = mkOption { type = types.listOf types.str; default = []; @@ -139,7 +147,7 @@ in { "ssh/ssh_known_hosts" = mkIf (builtins.length knownHosts > 0) { text = (flip (concatMapStringsSep "\n") knownHosts (h: assert h.hostNames != []; - concatStringsSep "," h.hostNames + " " + lib.optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " " + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) )) + "\n"; }; -- cgit v1.2.3 From 2c86af2e996ac6abbf9e1711f36c28d33b328df6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Mon, 12 Aug 2024 10:26:41 +0200 Subject: programs.ssh: add extraConfig option Same interface as in NixOS. This is useful to apply configuration for remote builders. --- modules/programs/ssh/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'modules/programs/ssh/default.nix') diff --git a/modules/programs/ssh/default.nix b/modules/programs/ssh/default.nix index 51c7796..1e87732 100644 --- a/modules/programs/ssh/default.nix +++ b/modules/programs/ssh/default.nix @@ -114,6 +114,15 @@ in type = with types; attrsOf (submodule userOptions); }; + programs.ssh.extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + Extra configuration text loaded in {file}`ssh_config`. + See {manpage}`ssh_config(5)` for help. + ''; + }; + programs.ssh.knownHosts = mkOption { default = {}; type = types.attrsOf (types.submodule host); @@ -151,6 +160,7 @@ in + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile) )) + "\n"; }; + "ssh/ssh_config.d/100-nix-darwin.conf".text = config.programs.ssh.extraConfig; "ssh/sshd_config.d/101-authorized-keys.conf" = { text = '' # sshd doesn't like reading from symbolic links, so we cat -- cgit v1.2.3