diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
index fcdae13b1fb5..24eae9d9c073 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
@@ -522,19 +522,72 @@
A few openssh options have been moved from extraConfig to the
new freeform option settings and renamed as
- follow:
- services.openssh.kbdInteractiveAuthentication
- to
- services.openssh.settings.KbdInteractiveAuthentication,
- services.openssh.passwordAuthentication to
- services.openssh.settings.PasswordAuthentication,
- services.openssh.useDns to
- services.openssh.settings.UseDns,
- services.openssh.permitRootLogin to
- services.openssh.settings.PermitRootLogin,
- services.openssh.logLevel to
- services.openssh.settings.LogLevel.
+ follows:
+
+
+
+ services.openssh.forwardX11 to
+ services.openssh.settings.X11Forwarding
+
+
+
+
+ services.openssh.kbdInteractiveAuthentication
+ ->
+ services.openssh.settings.KbdInteractiveAuthentication
+
+
+
+
+ services.openssh.passwordAuthentication
+ to
+ services.openssh.settings.PasswordAuthentication
+
+
+
+
+ services.openssh.useDns to
+ services.openssh.settings.UseDns
+
+
+
+
+ services.openssh.permitRootLogin to
+ services.openssh.settings.PermitRootLogin
+
+
+
+
+ services.openssh.logLevel to
+ services.openssh.settings.LogLevel
+
+
+
+
+ services.openssh.kexAlgorithms to
+ services.openssh.settings.KexAlgorithms
+
+
+
+
+ services.openssh.macs to
+ services.openssh.settings.Macs
+
+
+
+
+ services.openssh.cyphers to
+ services.openssh.settings.Cyphers
+
+
+
+
+ services.openssh.gatewayPorts to
+ services.openssh.settings.GatewayPorts
+
+
+
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md
index 83b2b8ce95a0..20e1423ca627 100644
--- a/nixos/doc/manual/release-notes/rl-2305.section.md
+++ b/nixos/doc/manual/release-notes/rl-2305.section.md
@@ -128,7 +128,17 @@ In addition to numerous new and upgraded packages, this release has the followin
- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
-- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`.
+- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows:
+ - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`
+ - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`
+ - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`
+ - `services.openssh.useDns` to `services.openssh.settings.UseDns`
+ - `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`
+ - `services.openssh.logLevel` to `services.openssh.settings.LogLevel`
+ - `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms`
+ - `services.openssh.macs` to `services.openssh.settings.Macs`
+ - `services.openssh.cyphers` to `services.openssh.settings.Cyphers`
+ - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`
- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix
index 36b724e04bde..3b8da78e2af5 100644
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -282,7 +282,7 @@ in
config = {
programs.ssh.setXAuthLocation =
- mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11);
+ mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding);
assertions =
[ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix
index 0c80e79d4b79..344c43a429b3 100644
--- a/nixos/modules/services/computing/slurm/slurm.nix
+++ b/nixos/modules/services/computing/slurm/slurm.nix
@@ -383,7 +383,7 @@ in
"d /var/spool/slurmd 755 root root -"
];
- services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true);
+ services.openssh.settings.X11Forwarding = mkIf cfg.client.enable (mkDefault true);
systemd.services.slurmctld = mkIf (cfg.server.enable) {
path = with pkgs; [ wrappedSlurm munge coreutils ]
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index f2b8d12ccc94..b1a108be0cfa 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -13,11 +13,12 @@ let
else pkgs.buildPackages.openssh;
# reports boolean as yes / no
- mkValueStringSshd = v:
+ mkValueStringSshd = with lib; v:
if isInt v then toString v
else if isString v then v
else if true == v then "yes"
else if false == v then "no"
+ else if isList v then concatStringsSep "," v
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
# dont use the "=" operator
@@ -104,6 +105,11 @@ in
(mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ])
(mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ])
(mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ])
+ (mkRenamedOptionModule [ "services" "openssh" "macs" ] [ "services" "openssh" "settings" "Macs" ])
+ (mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [ "services" "openssh" "settings" "Cyphers" ])
+ (mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [ "services" "openssh" "settings" "KexAlgorithms" ])
+ (mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [ "services" "openssh" "settings" "GatewayPorts" ])
+ (mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [ "services" "openssh" "settings" "X11Forwarding" ])
];
###### interface
@@ -131,14 +137,6 @@ in
'';
};
- forwardX11 = mkOption {
- type = types.bool;
- default = false;
- description = lib.mdDoc ''
- Whether to allow X11 connections to be forwarded.
- '';
- };
-
allowSFTP = mkOption {
type = types.bool;
default = true;
@@ -167,16 +165,6 @@ in
'';
};
- gatewayPorts = mkOption {
- type = types.str;
- default = "no";
- description = lib.mdDoc ''
- Specifies whether remote hosts are allowed to connect to
- ports forwarded for the client. See
- {manpage}`sshd_config(5)`.
- '';
- };
-
ports = mkOption {
type = types.listOf types.port;
default = [22];
@@ -286,63 +274,6 @@ in
'';
};
- kexAlgorithms = mkOption {
- type = types.listOf types.str;
- default = [
- "sntrup761x25519-sha512@openssh.com"
- "curve25519-sha256"
- "curve25519-sha256@libssh.org"
- "diffie-hellman-group-exchange-sha256"
- ];
- description = lib.mdDoc ''
- Allowed key exchange algorithms
-
- Uses the lower bound recommended in both
-
- and
-
- '';
- };
-
- ciphers = mkOption {
- type = types.listOf types.str;
- default = [
- "chacha20-poly1305@openssh.com"
- "aes256-gcm@openssh.com"
- "aes128-gcm@openssh.com"
- "aes256-ctr"
- "aes192-ctr"
- "aes128-ctr"
- ];
- description = lib.mdDoc ''
- Allowed ciphers
-
- Defaults to recommended settings from both
-
- and
-
- '';
- };
-
- macs = mkOption {
- type = types.listOf types.str;
- default = [
- "hmac-sha2-512-etm@openssh.com"
- "hmac-sha2-256-etm@openssh.com"
- "umac-128-etm@openssh.com"
- "hmac-sha2-512"
- "hmac-sha2-256"
- "umac-128@openssh.com"
- ];
- description = lib.mdDoc ''
- Allowed MACs
-
- Defaults to recommended settings from both
-
- and
-
- '';
- };
settings = mkOption {
@@ -374,7 +305,13 @@ in
~/.ssh/authorized_keys from and sshd_config Match Host directives.
'';
};
-
+ X11Forwarding = mkOption {
+ type = types.bool;
+ default = false;
+ description = lib.mdDoc ''
+ Whether to allow X11 connections to be forwarded.
+ '';
+ };
PasswordAuthentication = mkOption {
type = types.bool;
default = true;
@@ -396,6 +333,70 @@ in
Specifies whether keyboard-interactive authentication is allowed.
'';
};
+ GatewayPorts = mkOption {
+ type = types.str;
+ default = "no";
+ description = lib.mdDoc ''
+ Specifies whether remote hosts are allowed to connect to
+ ports forwarded for the client. See
+ {manpage}`sshd_config(5)`.
+ '';
+ };
+ KexAlgorithms = mkOption {
+ type = types.listOf types.str;
+ default = [
+ "sntrup761x25519-sha512@openssh.com"
+ "curve25519-sha256"
+ "curve25519-sha256@libssh.org"
+ "diffie-hellman-group-exchange-sha256"
+ ];
+ description = lib.mdDoc ''
+ Allowed key exchange algorithms
+
+ Uses the lower bound recommended in both
+
+ and
+
+ '';
+ };
+ Macs = mkOption {
+ type = types.listOf types.str;
+ default = [
+ "hmac-sha2-512-etm@openssh.com"
+ "hmac-sha2-256-etm@openssh.com"
+ "umac-128-etm@openssh.com"
+ "hmac-sha2-512"
+ "hmac-sha2-256"
+ "umac-128@openssh.com"
+ ];
+ description = lib.mdDoc ''
+ Allowed MACs
+
+ Defaults to recommended settings from both
+
+ and
+
+ '';
+ };
+ Ciphers = mkOption {
+ type = types.listOf types.str;
+ default = [
+ "chacha20-poly1305@openssh.com"
+ "aes256-gcm@openssh.com"
+ "aes128-gcm@openssh.com"
+ "aes256-ctr"
+ "aes192-ctr"
+ "aes128-ctr"
+ ];
+ description = lib.mdDoc ''
+ Allowed ciphers
+
+ Defaults to recommended settings from both
+
+ and
+
+ '';
+ };
};
});
};
@@ -555,17 +556,10 @@ in
${optionalString cfgc.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''}
-
- X11Forwarding ${if cfg.forwardX11 then "yes" else "no"}
-
${optionalString cfg.allowSFTP ''
Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
''}
-
- GatewayPorts ${cfg.gatewayPorts}
-
PrintMotd no # handled by pam_motd
-
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
${optionalString (cfg.authorizedKeysCommand != "none") ''
AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
@@ -575,13 +569,9 @@ in
${flip concatMapStrings cfg.hostKeys (k: ''
HostKey ${k.path}
'')}
-
- KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}
- Ciphers ${concatStringsSep "," cfg.ciphers}
- MACs ${concatStringsSep "," cfg.macs}
'';
- assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
+ assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
message = "cannot enable X11 forwarding without setting xauth location";}]
++ forEach cfg.listenAddresses ({ addr, ... }: {
assertion = addr != null;