2009-05-28 01:59:14 +02:00
|
|
|
|
# Global configuration for the SSH client.
|
|
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2009-05-28 01:59:14 +02:00
|
|
|
|
|
2014-04-14 16:26:48 +02:00
|
|
|
|
with lib;
|
2012-03-25 17:42:05 +02:00
|
|
|
|
|
2015-02-25 14:29:24 +01:00
|
|
|
|
let
|
|
|
|
|
|
|
|
|
|
cfg = config.programs.ssh;
|
|
|
|
|
cfgd = config.services.openssh;
|
|
|
|
|
|
2015-03-11 16:59:02 +01:00
|
|
|
|
askPassword = cfg.askPassword;
|
2015-02-25 14:29:24 +01:00
|
|
|
|
|
|
|
|
|
askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper"
|
|
|
|
|
''
|
2018-03-01 20:38:53 +01:00
|
|
|
|
#! ${pkgs.runtimeShell} -e
|
2015-02-25 14:29:24 +01:00
|
|
|
|
export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')"
|
|
|
|
|
exec ${askPassword}
|
|
|
|
|
'';
|
2012-03-25 17:42:05 +02:00
|
|
|
|
|
2015-08-27 15:24:14 +02:00
|
|
|
|
knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
|
|
|
|
|
|
2017-05-16 05:49:43 +02:00
|
|
|
|
knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
|
2015-08-27 15:31:21 +02:00
|
|
|
|
(h: assert h.hostNames != [];
|
2015-08-27 15:24:14 +02:00
|
|
|
|
concatStringsSep "," h.hostNames + " "
|
|
|
|
|
+ (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
|
2017-05-16 05:49:43 +02:00
|
|
|
|
)) + "\n";
|
2015-08-27 15:24:14 +02:00
|
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
|
in
|
2009-05-28 01:59:14 +02:00
|
|
|
|
{
|
2012-03-25 17:42:05 +02:00
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
|
|
programs.ssh = {
|
|
|
|
|
|
2015-03-11 16:59:02 +01:00
|
|
|
|
askPassword = mkOption {
|
2015-06-15 18:18:46 +02:00
|
|
|
|
type = types.str;
|
2016-01-13 11:48:11 +01:00
|
|
|
|
default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
|
2015-03-11 16:59:02 +01:00
|
|
|
|
description = ''Program used by SSH to ask for passwords.'';
|
|
|
|
|
};
|
|
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
|
forwardX11 = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.bool;
|
2012-10-10 08:21:45 +02:00
|
|
|
|
default = false;
|
2012-03-25 17:42:05 +02:00
|
|
|
|
description = ''
|
|
|
|
|
Whether to request X11 forwarding on outgoing connections by default.
|
|
|
|
|
This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
|
|
|
|
|
Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
|
2012-11-18 20:05:18 +01:00
|
|
|
|
Note: there are some security risks to forwarding an X11 connection.
|
|
|
|
|
NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.
|
2012-10-10 08:21:45 +02:00
|
|
|
|
To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.
|
2012-11-18 20:05:18 +01:00
|
|
|
|
The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
|
2009-05-28 01:59:14 +02:00
|
|
|
|
'';
|
2012-03-25 17:42:05 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
setXAuthLocation = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.bool;
|
2012-03-25 17:42:05 +02:00
|
|
|
|
description = ''
|
2013-10-25 15:47:30 +02:00
|
|
|
|
Whether to set the path to <command>xauth</command> for X11-forwarded connections.
|
2013-10-30 17:37:45 +01:00
|
|
|
|
This causes a dependency on X11 packages.
|
2012-03-25 17:42:05 +02:00
|
|
|
|
'';
|
|
|
|
|
};
|
2013-08-25 21:54:21 +02:00
|
|
|
|
|
|
|
|
|
extraConfig = mkOption {
|
2013-10-30 17:37:45 +01:00
|
|
|
|
type = types.lines;
|
2013-08-25 21:54:21 +02:00
|
|
|
|
default = "";
|
|
|
|
|
description = ''
|
|
|
|
|
Extra configuration text appended to <filename>ssh_config</filename>.
|
2013-10-30 17:37:45 +01:00
|
|
|
|
See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
|
|
|
for help.
|
2013-08-25 21:54:21 +02:00
|
|
|
|
'';
|
|
|
|
|
};
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
|
|
|
|
startAgent = mkOption {
|
|
|
|
|
type = types.bool;
|
2017-06-15 19:27:01 +02:00
|
|
|
|
default = false;
|
2014-04-18 00:45:26 +02:00
|
|
|
|
description = ''
|
|
|
|
|
Whether to start the OpenSSH agent when you log in. The OpenSSH agent
|
|
|
|
|
remembers private keys for you so that you don't have to type in
|
|
|
|
|
passphrases every time you make an SSH connection. Use
|
|
|
|
|
<command>ssh-add</command> to add a key to the agent.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2014-11-13 21:46:02 +01:00
|
|
|
|
agentTimeout = mkOption {
|
2015-06-15 18:18:46 +02:00
|
|
|
|
type = types.nullOr types.str;
|
2014-12-18 15:30:14 +01:00
|
|
|
|
default = null;
|
|
|
|
|
example = "1h";
|
2014-11-13 21:46:02 +01:00
|
|
|
|
description = ''
|
2014-11-15 12:13:19 +01:00
|
|
|
|
How long to keep the private keys in memory. Use null to keep them forever.
|
2014-11-13 21:46:02 +01:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2014-09-12 06:43:58 +02:00
|
|
|
|
package = mkOption {
|
2016-01-17 19:34:55 +01:00
|
|
|
|
type = types.package;
|
2014-09-12 06:43:58 +02:00
|
|
|
|
default = pkgs.openssh;
|
2016-01-17 19:34:55 +01:00
|
|
|
|
defaultText = "pkgs.openssh";
|
2014-09-12 06:43:58 +02:00
|
|
|
|
description = ''
|
|
|
|
|
The package used for the openssh client and daemon.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2015-08-27 15:24:14 +02:00
|
|
|
|
knownHosts = mkOption {
|
|
|
|
|
default = {};
|
2015-08-27 15:31:21 +02:00
|
|
|
|
type = types.loaOf (types.submodule ({ name, ... }: {
|
2015-08-27 15:29:05 +02:00
|
|
|
|
options = {
|
|
|
|
|
hostNames = mkOption {
|
|
|
|
|
type = types.listOf types.str;
|
|
|
|
|
default = [];
|
|
|
|
|
description = ''
|
|
|
|
|
A list of host names and/or IP numbers used for accessing
|
|
|
|
|
the host's ssh service.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
publicKey = mkOption {
|
|
|
|
|
default = null;
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
|
|
|
|
|
description = ''
|
|
|
|
|
The public key data for the host. You can fetch a public key
|
|
|
|
|
from a running SSH server with the <command>ssh-keyscan</command>
|
|
|
|
|
command. The public key should not include any host names, only
|
|
|
|
|
the key type and the key itself.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
publicKeyFile = mkOption {
|
|
|
|
|
default = null;
|
|
|
|
|
type = types.nullOr types.path;
|
|
|
|
|
description = ''
|
|
|
|
|
The path to the public key file for the host. The public
|
|
|
|
|
key file is read at build time and saved in the Nix store.
|
|
|
|
|
You can fetch a public key file from a running SSH server
|
|
|
|
|
with the <command>ssh-keyscan</command> command. The content
|
|
|
|
|
of the file should follow the same format as described for
|
|
|
|
|
the <literal>publicKey</literal> option.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
2015-08-27 15:31:21 +02:00
|
|
|
|
config = {
|
|
|
|
|
hostNames = mkDefault [ name ];
|
|
|
|
|
};
|
|
|
|
|
}));
|
2015-08-27 15:24:14 +02:00
|
|
|
|
description = ''
|
|
|
|
|
The set of system-wide known SSH hosts.
|
|
|
|
|
'';
|
2016-01-17 19:34:55 +01:00
|
|
|
|
example = literalExample ''
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
|
hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
|
2017-10-31 19:53:24 +01:00
|
|
|
|
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
|
2016-01-17 19:34:55 +01:00
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
hostNames = [ "myhost2" ];
|
2017-10-31 19:53:24 +01:00
|
|
|
|
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
|
2016-01-17 19:34:55 +01:00
|
|
|
|
}
|
|
|
|
|
]
|
|
|
|
|
'';
|
2015-08-27 15:24:14 +02:00
|
|
|
|
};
|
|
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
|
};
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = {
|
2013-10-25 15:47:30 +02:00
|
|
|
|
|
2016-09-05 15:38:42 +02:00
|
|
|
|
programs.ssh.setXAuthLocation =
|
2016-11-21 16:17:35 +01:00
|
|
|
|
mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11);
|
2016-09-05 15:38:42 +02:00
|
|
|
|
|
2015-08-27 15:24:14 +02:00
|
|
|
|
assertions =
|
|
|
|
|
[ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
|
|
|
|
|
message = "cannot enable X11 forwarding without setting XAuth location";
|
|
|
|
|
}
|
|
|
|
|
] ++ flip mapAttrsToList cfg.knownHosts (name: data: {
|
|
|
|
|
assertion = (data.publicKey == null && data.publicKeyFile != null) ||
|
|
|
|
|
(data.publicKey != null && data.publicKeyFile == null);
|
|
|
|
|
message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
|
|
|
|
|
});
|
2013-10-25 15:47:30 +02:00
|
|
|
|
|
2015-08-18 13:09:38 +02:00
|
|
|
|
# SSH configuration. Slight duplication of the sshd_config
|
|
|
|
|
# generation in the sshd service.
|
|
|
|
|
environment.etc."ssh/ssh_config".text =
|
|
|
|
|
''
|
|
|
|
|
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
|
|
|
|
|
|
|
|
|
|
${optionalString cfg.setXAuthLocation ''
|
|
|
|
|
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
|
|
|
|
|
''}
|
|
|
|
|
|
|
|
|
|
ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
|
|
|
|
|
|
2016-02-01 16:27:46 +01:00
|
|
|
|
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
|
|
|
|
|
PubkeyAcceptedKeyTypes +ssh-dss
|
2016-04-01 15:52:59 +02:00
|
|
|
|
HostKeyAlgorithms +ssh-dss
|
2016-02-01 16:27:46 +01:00
|
|
|
|
|
2015-08-18 13:09:38 +02:00
|
|
|
|
${cfg.extraConfig}
|
|
|
|
|
'';
|
2014-04-18 00:45:26 +02:00
|
|
|
|
|
2015-08-27 15:24:14 +02:00
|
|
|
|
environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
|
|
|
|
|
|
2014-04-18 00:45:26 +02:00
|
|
|
|
# FIXME: this should really be socket-activated for über-awesomeness.
|
2017-05-25 19:33:13 +02:00
|
|
|
|
systemd.user.services.ssh-agent = mkIf cfg.startAgent
|
|
|
|
|
{ description = "SSH Agent";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
wantedBy = [ "default.target" ];
|
|
|
|
|
serviceConfig =
|
2014-04-18 17:37:47 +02:00
|
|
|
|
{ ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
|
2014-11-15 12:13:19 +01:00
|
|
|
|
ExecStart =
|
|
|
|
|
"${cfg.package}/bin/ssh-agent " +
|
|
|
|
|
optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") +
|
|
|
|
|
"-a %t/ssh-agent";
|
2014-04-18 17:37:47 +02:00
|
|
|
|
StandardOutput = "null";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
Type = "forking";
|
|
|
|
|
Restart = "on-failure";
|
2014-04-18 17:37:47 +02:00
|
|
|
|
SuccessExitStatus = "0 2";
|
2014-04-18 00:45:26 +02:00
|
|
|
|
};
|
2015-02-25 14:29:24 +01:00
|
|
|
|
# Allow ssh-agent to ask for confirmation. This requires the
|
|
|
|
|
# unit to know about the user's $DISPLAY (via ‘systemctl
|
|
|
|
|
# import-environment’).
|
|
|
|
|
environment.SSH_ASKPASS = optionalString config.services.xserver.enable askPasswordWrapper;
|
|
|
|
|
environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
|
2014-04-18 00:45:26 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.extraInit = optionalString cfg.startAgent
|
|
|
|
|
''
|
|
|
|
|
if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
|
|
|
|
|
export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
|
2016-01-24 11:18:30 +01:00
|
|
|
|
environment.variables.SSH_ASKPASS = optionalString config.services.xserver.enable askPassword;
|
2015-02-25 14:29:24 +01:00
|
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
|
};
|
2009-05-28 01:59:14 +02:00
|
|
|
|
}
|