Commit graph

49 commits

Author SHA1 Message Date
Alyssa Ross
387b9bf352
nixos/ssh: don't accept ssh-dss keys
These have been deprecated long enough.  I think this default was even
made non-functional by 2337c7522a.  But
it's still a scary thing to see there.

Fixes https://github.com/NixOS/nixpkgs/issues/33381.
2020-04-07 13:35:51 +00:00
Philip Potter
ce7d4e40f0
ssh-agent: fix syntax problem from #71139
Oops, in #71139 a missing `+` broke things quite badly.  Thanks @lzorkin for the
report and @mebubo for diagnosing the problem.
2019-11-07 22:13:18 +00:00
Philip Potter
8120184bf1 ssh-agent: add agentPKCS11Whitelist option
If you want to be able to use OpenSC with ssh-agent, you need to be able
to add it to the ssh-agent whitelist.  This adds an option,
agentPKCS11Whitelist, that exposes the option.

Note that I currently work around this by injecting the parameter into
the agentTimeout option:

    programs.ssh.agentTimeout = "1h -P ${pkgs.opensc}/lib/opensc-pkcs11.so";

but I feel that a proper option would be better :)
2019-10-14 20:45:28 +01:00
Peter Hoeg
f2639566b5
Merge pull request #30712 from peterhoeg/f/service
systemd user services shouldn't run as root and other "non-interactive" users
2019-08-02 11:58:27 +08:00
edef
1c9a2d4d7f nixos/programs/ssh: allow specifying known host CAs 2019-07-21 14:23:41 +00:00
Kai Wohlfahrt
de7abf63b8 nixos/ssh: apply options after extraConfig
Otherwise, the standard options (e.g. AddressFamily) cannot be overriden
in extraConfig, as the option is applied on the first (not most
specific) match. Closes #52267
2019-02-18 21:58:46 +00:00
Florian Klink
4f11c06fac programs.ssh.knownHosts: update example to be an attrset
We shouldn't encourage using a list here, but prefer the attrset.
Using a list here causes very unintuitive effects during merging.
2019-01-18 15:33:07 +01:00
Daiderd Jordan
9d72403814
ssh: fix 3572f89bbe 2018-07-21 13:06:16 +02:00
Daiderd Jordan
3572f89bbe
ssh: don't add empty PubkeyAcceptedKeyTypes/HostKeyAlgorithms
The options introduced in e2444a433f would generate a broken
ssh config when set to an empty list.

/etc/ssh/ssh_config line 7: Missing argument.
2018-07-21 12:29:16 +02:00
Daiderd Jordan
e2444a433f
Merge pull request #40686 from Izorkin/ssh
ssh: custom config key types
2018-07-21 11:57:41 +02:00
Izorkin
05bc5fed28 ssh: custom config key types 2018-07-21 12:27:16 +03:00
volth
87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Shea Levy
fec543436d
nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
mingchuan
e0318379ae nixos/ssh: fix example 2017-11-01 02:54:38 +08:00
Peter Hoeg
0f04bbdc31 ssh-agent: normal users only 2017-10-24 16:30:13 +08:00
Franz Pletz
994ffc01a0
ssh module: disable agent by default 2017-06-15 19:27:01 +02:00
Franz Pletz
1e95e114e5
nixos/xsession: use graphical systemd user target
While systemd suggests using the pre-defined graphical-session user
target, I found that this interface is difficult to use. Additionally,
no other major distribution, even in their unstable versions, currently
use this mechanism.

The window or desktop manager is supposed to run in a systemd user service
which activates graphical-session.target and the user services that are
binding to this target. The issue is that we can't elegantly pass the
xsession environment to the window manager session, in particular
whereas the PassEnvironment option does work for DISPLAY, it for some
mysterious reason won't for PATH.

This commit implements a new graphical user target that works just like
default.target. Services which should be run in a graphical session just
need to declare wantedBy graphical.target. The graphical target will be
activated in the xsession before executing the window or display manager.

Fixes #17858.
2017-05-29 15:05:28 +02:00
jammerful
d9df350695 ssh: Add Newline to KnownHostsText
SSH expects a new line at the end of known_hosts file.
Without a new line the next entry goes on the same line
as the last entry in known_hosts causing errors.
2017-05-15 23:49:43 -04:00
Eelco Dolstra
d69dce080d
Fix setting programs.ssh.setXAuthLocation
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
2016-11-21 16:19:51 +01:00
Eelco Dolstra
f3c32cb2c1 Let services.openssh.forwardX11 imply programs.ssh.setXAuthLocation 2016-09-05 15:38:42 +02:00
Eelco Dolstra
3fb1708427 ssh: Fix support for ssh-dss host keys 2016-04-01 15:54:52 +02:00
Vladimír Čunát
4fede53c09 nixos manuals: bring back package references
This reverts most of 89e983786a, as those references are sanitized now.
Fixes #10039, at least most of it.

The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
2016-02-03 14:47:14 +01:00
Vladimír Čunát
889351af8b Revert "Merge #12357: nixos docs: show references to packages"
The PR wasn't good enough yet.
This reverts commit b2a37ceeea, reversing
changes made to 7fa9a1abce.
2016-02-03 12:16:33 +01:00
Vladimír Čunát
b2a37ceeea Merge #12357: nixos docs: show references to packages 2016-02-03 10:07:27 +01:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
Reno Reckling
312bae7fc0 nixos-ssh: set SSH_ASKPASS globally and not just on interactive shells
If we limit SSH_ASKPASS to interactive shells, users are unable to trigger
the ssh-passphrase dialog from their desktop environment autostart scripts.
Usecase: I call ssh-add during my desktop environment autostart and want to have
the passphrase dialog immediately after startup.
For this to work, SSH_ASKPASS needs to be propagated properly on
non-interactive shells.
2016-01-24 11:18:30 +01:00
Thomas Strobel
a04a7272aa Add missing 'type', 'defaultText' and 'literalExample' in module definitions
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
2016-01-17 19:41:23 +01:00
Vladimír Čunát
3bcf8ae879 nixos manuals: bring back package references
This reverts most of 89e983786a, as those references are sanitized now.
Fixes #10039, at least most of it.

The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
2016-01-13 12:04:31 +01:00
Eelco Dolstra
89e983786a Manual: Remove store path references 2015-09-24 11:50:58 +02:00
Eelco Dolstra
f6eece6f8f programs.ssh.knownHosts: Use attribute name
This allows writing:

  programs.ssh.knownHosts."10.1.2.3".publicKey = "bar";

instead of

  programs.ssh.knownHosts = [ { hostNames = [ "10.1.2.3" ]; publicKey = "bar"; } ];
2015-08-27 15:32:46 +02:00
Eelco Dolstra
7c6ff6c1da programs.ssh.knownHosts: Use submodule 2015-08-27 15:32:46 +02:00
Eelco Dolstra
287c08d8a3 Rename services.openssh.knownHosts -> programs.ssh.knownHosts
This option configures the SSH client, not the server.
2015-08-27 15:32:46 +02:00
Eelco Dolstra
401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
Eelco Dolstra
1f2eef5ae9 openssh: Re-enable DSA client keys
This was broken by a8eb2a6a81.
2015-08-18 13:11:45 +02:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
Thomas Tuegel
4b10907152 ssh: make askPassword an option
By making askPassword an option, desktop environment modules can
override the default x11_ssh_askpassword with their own equivalent for
better integration. For example, KDE 5 uses plasma5.ksshaskpass instead.
2015-03-11 11:49:29 -05:00
Eelco Dolstra
36d0f367de ssh-agent: Fix asking for confirmation via $SSH_ASKPASS
This was lost back in
ffedee6ed5. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.
2015-02-25 14:31:17 +01:00
Eelco Dolstra
63c14e259d ssh-agent: Don't have a timeout by default
IMHO, having a short timeout (1h) defeats the point of using
ssh-agent, which is not to have to retype passphrases all the time. Of
course, users who want timeouts can set programs.ssh.agentTimeout.

This restores the 14.04 behaviour.
2014-12-18 15:34:29 +01:00
Aristid Breitkreuz
2fd7e5f39d ssh-agent: use types.nullOr 2014-11-15 12:33:01 +01:00
Aristid Breitkreuz
d57110fabc ssh-agent: make key timeout optional 2014-11-15 12:13:25 +01:00
Aristid Breitkreuz
d70336f37c limit the amount of time ssh-agent keeps a key (default: 1h) 2014-11-15 12:13:25 +01:00
William A. Kennington III
bab5efd237 nixos/ssh: Allow user to configure the package that provides ssh/sshd 2014-09-11 22:07:39 -07:00
Eelco Dolstra
85fdaed9de ssh-agent: Tweaks 2014-04-18 17:37:47 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
William A. Kennington III
6c6d7dc11d ssh: Don't set xauth if not running xserver 2014-04-03 14:28:45 -05:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
72ca782044 Fix an assertion set in the wrong place 2013-10-25 15:47:30 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00
Renamed from modules/programs/ssh.nix (Browse further)