From 7eff362ca4c87dd120a7e0bb23ced8525193a518 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 3 Sep 2023 17:12:55 +0200 Subject: [PATCH 1/2] nixos/ssh: inline askPassword --- nixos/modules/programs/ssh.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 7c85d1e7c3d5..28b015db9f14 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -8,14 +8,12 @@ let cfg = config.programs.ssh; - askPassword = cfg.askPassword; - askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper" '' #! ${pkgs.runtimeShell} -e export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')" export WAYLAND_DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^WAYLAND_DISPLAY=\(.*\)/\1/; t; d')" - exec ${askPassword} "$@" + exec ${cfg.askPassword} "$@" ''; knownHosts = attrValues cfg.knownHosts; @@ -351,7 +349,7 @@ in fi ''; - environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword askPassword; + environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword cfg.askPassword; }; } From 88946fe4d808ff4ba15149c74701b05d43d1886f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Sun, 3 Sep 2023 17:13:11 +0200 Subject: [PATCH 2/2] nixos/ssh: add variant to not set ForwardX11 ssh_config allows a setting to only be set once and if more complex conditions are used than having ForwardX11 already defined can be a problem. --- nixos/modules/programs/ssh.nix | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 28b015db9f14..5cd6f753305f 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -50,10 +50,11 @@ in }; forwardX11 = mkOption { - type = types.bool; + type = with lib.types; nullOr bool; default = false; description = lib.mdDoc '' Whether to request X11 forwarding on outgoing connections by default. + If set to null, the option is not set at all. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. @@ -279,10 +280,10 @@ in config = { programs.ssh.setXAuthLocation = - mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding); + mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 == true || config.services.openssh.settings.X11Forwarding); assertions = - [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation; + [ { assertion = cfg.forwardX11 == true -> cfg.setXAuthLocation; message = "cannot enable X11 forwarding without setting XAuth location"; } ] ++ flip mapAttrsToList cfg.knownHosts (name: data: { @@ -303,11 +304,8 @@ in AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} GlobalKnownHostsFile ${concatStringsSep " " knownHostsFiles} - ${optionalString cfg.setXAuthLocation '' - XAuthLocation ${pkgs.xorg.xauth}/bin/xauth - ''} - - ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} + ${optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"} + ${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"} ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"} ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}