Add support for lshd (SSH2 daemon of GNU lsh).

svn path=/nixos/trunk/; revision=10969
2008-03-05 16:03:09 +00:00 · 2008-03-05 16:03:09 +00:00 · 3cde6bd187
parent cf28e6d341
commit 3cde6bd187
3 changed files with 154 additions and 0 deletions
--- a/system/options.nix
+++ b/system/options.nix
@ -799,6 +799,97 @@

    };

+    lshd = {
+
+      enable = mkOption {
+        default = false;
+	description = ''
+	  Whether to enable the GNU lshd SSH2 daemon, which allows
+          secure remote login.
+	'';
+      };
+
+      portNumber = mkOption {
+        default = 22;
+	description = ''
+	  The port on which to listen for connections.
+	'';
+      };
+
+      interfaces = mkOption {
+        default = [];
+	description = ''
+	  List of network interfaces where listening for connections.
+          When providing the empty list, `[]', lshd listens on all
+          network interfaces.
+	'';
+	example = [ "localhost" "1.2.3.4:443" ];
+      };
+
+      hostKey = mkOption {
+        default = "/etc/lsh/host-key";
+	description = ''
+	  Path to the server's private key.  Note that this key must
+          have been created, e.g., using "lsh-keygen --server |
+          lsh-writekey --server", so that you can run lshd.
+	'';
+      };
+
+      syslog = mkOption {
+        default = true;
+	description = ''Whether to enable syslog output.'';
+      };
+
+      passwordAuthentication = mkOption {
+        default = true;
+	description = ''Whether to enable password authentication.'';
+      };
+
+      publicKeyAuthentication = mkOption {
+        default = true;
+	description = ''Whether to enable public key authentication.'';
+      };
+
+      rootLogin = mkOption {
+        default = false;
+	description = ''Whether to enable remote root login.'';
+      };
+
+      loginShell = mkOption {
+        default = null;
+	description = ''
+	  If non-null, override the default login shell with the
+	  specified value.
+	'';
+	example = "/nix/store/xyz-bash-10.0/bin/bash10";
+      };
+
+      srpKeyExchange = mkOption {
+        default = false;
+	description = ''
+	  Whether to enable SRP key exchange and user authentication.
+	'';
+      };
+
+      tcpForwarding = mkOption {
+        default = true;
+	description = ''Whether to enable TCP/IP forwarding.'';
+      };
+
+      x11Forwarding = mkOption {
+        default = true;
+	description = ''Whether to enable X11 forwarding.'';
+      };
+
+      subsystems = mkOption {
+        default = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ];
+	description = ''
+	  List of subsystem-path pairs, where the head of the pair
+          denotes the subsystem name, and the tail denotes the path to
+          an executable implementing it.
+	'';
+      };
+    };

    ntp = {

--- a/upstart-jobs/default.nix
+++ b/upstart-jobs/default.nix
@ -139,6 +139,16 @@ let
      allowSFTP = config.services.sshd.allowSFTP;
    })

+  # GNU lshd SSH2 deamon.
+  ++ optional config.services.lshd.enable
+    (import ../upstart-jobs/lshd.nix {
+      inherit (pkgs) lib;
+      inherit (pkgs) lsh;
+      inherit (pkgs.xorg) xauth;
+      inherit nssModulesPath;
+      lshdConfig = config.services.lshd;
+    })
+
  # NTP daemon.
  ++ optional config.services.ntp.enable
    (import ../upstart-jobs/ntpd.nix {
--- a/upstart-jobs/lshd.nix
+++ b/upstart-jobs/lshd.nix
@ -0,0 +1,53 @@
+{lsh, xauth, lib, nssModulesPath, lshdConfig}:
+
+with builtins;
+with lib;
+
+{
+  name = "lshd";
+  
+  job = with lshdConfig; ''
+description "GNU lshd SSH2 daemon"
+
+start on network-interfaces/started
+stop on network-interfaces/stop
+
+env LD_LIBRARY_PATH=${nssModulesPath}
+
+start script
+    test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh
+    test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh
+
+    if ! test -f /var/spool/lsh/yarrow-seed-file
+    then
+        ${lsh}/bin/lsh-make-seed -o /var/spool/lsh/yarrow-seed-file
+    fi
+
+    if ! test -f "${hostKey}"
+    then
+        ${lsh}/bin/lsh-keygen --server | \
+	${lsh}/bin/lsh-writekey --server -o "${hostKey}"
+    fi
+end script
+
+respawn ${lsh}/sbin/lshd --daemonic \
+   -p ${toString portNumber} \
+   ${if interfaces == [] then ""
+     else (concatStrings (map (i: "--interface=\"${i}\"")
+                              interfaces))} \
+   -h "${hostKey}" \
+   ${if !syslog then "--no-syslog" else ""} \
+   ${if !passwordAuthentication then "--no-password" else ""} \
+   ${if !publicKeyAuthentication then "--no-publickey" else ""} \
+   ${if rootLogin then "--root-login" else ""} \
+   ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \
+   ${if srpKeyExchange then "--srp-keyexchange" else "" } \
+   ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \
+   ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \
+   --subsystems=${concatStringsSep ","
+                                   (map (pair: (head pair) + "=" +
+                                               (head (tail pair)))
+				        subsystems)}
+'';
+  
+}