From ef5da70d669321d482523ba64d331e7b09d6933b Mon Sep 17 00:00:00 2001 From: Matthieu Coudron Date: Tue, 7 Feb 2023 00:11:18 +0100 Subject: [PATCH] services.openssh: rename several settings (#211991) * services.openssh: rename several settings ... to match the sshd config format (makes transition smoother), namely: services.openssh.forwardX11 -> services.openssh.settings.X11Forwarding services.openssh.cyphers -> services.openssh.settings.Cyphers services.openssh.macs -> services.openssh.settings.Macs services.openssh.kexAlgorithms -> services.openssh.settings.KexAlgorithms services.openssh.gatewayPorts -> services.openssh.settings.GatewayPorts * release-notes: mention openssh renaming * chore: regenerated release-notes --- .../from_md/release-notes/rl-2305.section.xml | 77 ++++++-- .../manual/release-notes/rl-2305.section.md | 12 +- nixos/modules/programs/ssh.nix | 2 +- .../services/computing/slurm/slurm.nix | 2 +- .../modules/services/networking/ssh/sshd.nix | 168 ++++++++---------- 5 files changed, 157 insertions(+), 104 deletions(-) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml index fcdae13b1fb5..24eae9d9c073 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2305.section.xml @@ -522,19 +522,72 @@ A few openssh options have been moved from extraConfig to the new freeform option settings and renamed as - follow: - services.openssh.kbdInteractiveAuthentication - to - services.openssh.settings.KbdInteractiveAuthentication, - services.openssh.passwordAuthentication to - services.openssh.settings.PasswordAuthentication, - services.openssh.useDns to - services.openssh.settings.UseDns, - services.openssh.permitRootLogin to - services.openssh.settings.PermitRootLogin, - services.openssh.logLevel to - services.openssh.settings.LogLevel. + follows: + + + + services.openssh.forwardX11 to + services.openssh.settings.X11Forwarding + + + + + services.openssh.kbdInteractiveAuthentication + -> + services.openssh.settings.KbdInteractiveAuthentication + + + + + services.openssh.passwordAuthentication + to + services.openssh.settings.PasswordAuthentication + + + + + services.openssh.useDns to + services.openssh.settings.UseDns + + + + + services.openssh.permitRootLogin to + services.openssh.settings.PermitRootLogin + + + + + services.openssh.logLevel to + services.openssh.settings.LogLevel + + + + + services.openssh.kexAlgorithms to + services.openssh.settings.KexAlgorithms + + + + + services.openssh.macs to + services.openssh.settings.Macs + + + + + services.openssh.cyphers to + services.openssh.settings.Cyphers + + + + + services.openssh.gatewayPorts to + services.openssh.settings.GatewayPorts + + + diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 83b2b8ce95a0..20e1423ca627 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -128,7 +128,17 @@ In addition to numerous new and upgraded packages, this release has the followin - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package) -- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`. +- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows: + - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding` + - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication` + - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication` + - `services.openssh.useDns` to `services.openssh.settings.UseDns` + - `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin` + - `services.openssh.logLevel` to `services.openssh.settings.LogLevel` + - `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms` + - `services.openssh.macs` to `services.openssh.settings.Macs` + - `services.openssh.cyphers` to `services.openssh.settings.Cyphers` + - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts` - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 36b724e04bde..3b8da78e2af5 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -282,7 +282,7 @@ in config = { programs.ssh.setXAuthLocation = - mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11); + mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding); assertions = [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation; diff --git a/nixos/modules/services/computing/slurm/slurm.nix b/nixos/modules/services/computing/slurm/slurm.nix index 0c80e79d4b79..344c43a429b3 100644 --- a/nixos/modules/services/computing/slurm/slurm.nix +++ b/nixos/modules/services/computing/slurm/slurm.nix @@ -383,7 +383,7 @@ in "d /var/spool/slurmd 755 root root -" ]; - services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true); + services.openssh.settings.X11Forwarding = mkIf cfg.client.enable (mkDefault true); systemd.services.slurmctld = mkIf (cfg.server.enable) { path = with pkgs; [ wrappedSlurm munge coreutils ] diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index f2b8d12ccc94..b1a108be0cfa 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -13,11 +13,12 @@ let else pkgs.buildPackages.openssh; # reports boolean as yes / no - mkValueStringSshd = v: + mkValueStringSshd = with lib; v: if isInt v then toString v else if isString v then v else if true == v then "yes" else if false == v then "no" + else if isList v then concatStringsSep "," v else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; # dont use the "=" operator @@ -104,6 +105,11 @@ in (mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ]) (mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ]) (mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ]) + (mkRenamedOptionModule [ "services" "openssh" "macs" ] [ "services" "openssh" "settings" "Macs" ]) + (mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [ "services" "openssh" "settings" "Cyphers" ]) + (mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [ "services" "openssh" "settings" "KexAlgorithms" ]) + (mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [ "services" "openssh" "settings" "GatewayPorts" ]) + (mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [ "services" "openssh" "settings" "X11Forwarding" ]) ]; ###### interface @@ -131,14 +137,6 @@ in ''; }; - forwardX11 = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc '' - Whether to allow X11 connections to be forwarded. - ''; - }; - allowSFTP = mkOption { type = types.bool; default = true; @@ -167,16 +165,6 @@ in ''; }; - gatewayPorts = mkOption { - type = types.str; - default = "no"; - description = lib.mdDoc '' - Specifies whether remote hosts are allowed to connect to - ports forwarded for the client. See - {manpage}`sshd_config(5)`. - ''; - }; - ports = mkOption { type = types.listOf types.port; default = [22]; @@ -286,63 +274,6 @@ in ''; }; - kexAlgorithms = mkOption { - type = types.listOf types.str; - default = [ - "sntrup761x25519-sha512@openssh.com" - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group-exchange-sha256" - ]; - description = lib.mdDoc '' - Allowed key exchange algorithms - - Uses the lower bound recommended in both - - and - - ''; - }; - - ciphers = mkOption { - type = types.listOf types.str; - default = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes128-gcm@openssh.com" - "aes256-ctr" - "aes192-ctr" - "aes128-ctr" - ]; - description = lib.mdDoc '' - Allowed ciphers - - Defaults to recommended settings from both - - and - - ''; - }; - - macs = mkOption { - type = types.listOf types.str; - default = [ - "hmac-sha2-512-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "umac-128-etm@openssh.com" - "hmac-sha2-512" - "hmac-sha2-256" - "umac-128@openssh.com" - ]; - description = lib.mdDoc '' - Allowed MACs - - Defaults to recommended settings from both - - and - - ''; - }; settings = mkOption { @@ -374,7 +305,13 @@ in ~/.ssh/authorized_keys from and sshd_config Match Host directives. ''; }; - + X11Forwarding = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + Whether to allow X11 connections to be forwarded. + ''; + }; PasswordAuthentication = mkOption { type = types.bool; default = true; @@ -396,6 +333,70 @@ in Specifies whether keyboard-interactive authentication is allowed. ''; }; + GatewayPorts = mkOption { + type = types.str; + default = "no"; + description = lib.mdDoc '' + Specifies whether remote hosts are allowed to connect to + ports forwarded for the client. See + {manpage}`sshd_config(5)`. + ''; + }; + KexAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + description = lib.mdDoc '' + Allowed key exchange algorithms + + Uses the lower bound recommended in both + + and + + ''; + }; + Macs = mkOption { + type = types.listOf types.str; + default = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + description = lib.mdDoc '' + Allowed MACs + + Defaults to recommended settings from both + + and + + ''; + }; + Ciphers = mkOption { + type = types.listOf types.str; + default = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + description = lib.mdDoc '' + Allowed ciphers + + Defaults to recommended settings from both + + and + + ''; + }; }; }); }; @@ -555,17 +556,10 @@ in ${optionalString cfgc.setXAuthLocation '' XAuthLocation ${pkgs.xorg.xauth}/bin/xauth ''} - - X11Forwarding ${if cfg.forwardX11 then "yes" else "no"} - ${optionalString cfg.allowSFTP '' Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags} ''} - - GatewayPorts ${cfg.gatewayPorts} - PrintMotd no # handled by pam_motd - AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ${optionalString (cfg.authorizedKeysCommand != "none") '' AuthorizedKeysCommand ${cfg.authorizedKeysCommand} @@ -575,13 +569,9 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} - - KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms} - Ciphers ${concatStringsSep "," cfg.ciphers} - MACs ${concatStringsSep "," cfg.macs} ''; - assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; + assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";}] ++ forEach cfg.listenAddresses ({ addr, ... }: { assertion = addr != null;