diff --git a/system/options.nix b/system/options.nix index 414bd90939b3..11b4e90a4264 100644 --- a/system/options.nix +++ b/system/options.nix @@ -799,6 +799,97 @@ }; + lshd = { + + enable = mkOption { + default = false; + description = '' + Whether to enable the GNU lshd SSH2 daemon, which allows + secure remote login. + ''; + }; + + portNumber = mkOption { + default = 22; + description = '' + The port on which to listen for connections. + ''; + }; + + interfaces = mkOption { + default = []; + description = '' + List of network interfaces where listening for connections. + When providing the empty list, `[]', lshd listens on all + network interfaces. + ''; + example = [ "localhost" "1.2.3.4:443" ]; + }; + + hostKey = mkOption { + default = "/etc/lsh/host-key"; + description = '' + Path to the server's private key. Note that this key must + have been created, e.g., using "lsh-keygen --server | + lsh-writekey --server", so that you can run lshd. + ''; + }; + + syslog = mkOption { + default = true; + description = ''Whether to enable syslog output.''; + }; + + passwordAuthentication = mkOption { + default = true; + description = ''Whether to enable password authentication.''; + }; + + publicKeyAuthentication = mkOption { + default = true; + description = ''Whether to enable public key authentication.''; + }; + + rootLogin = mkOption { + default = false; + description = ''Whether to enable remote root login.''; + }; + + loginShell = mkOption { + default = null; + description = '' + If non-null, override the default login shell with the + specified value. + ''; + example = "/nix/store/xyz-bash-10.0/bin/bash10"; + }; + + srpKeyExchange = mkOption { + default = false; + description = '' + Whether to enable SRP key exchange and user authentication. + ''; + }; + + tcpForwarding = mkOption { + default = true; + description = ''Whether to enable TCP/IP forwarding.''; + }; + + x11Forwarding = mkOption { + default = true; + description = ''Whether to enable X11 forwarding.''; + }; + + subsystems = mkOption { + default = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; + description = '' + List of subsystem-path pairs, where the head of the pair + denotes the subsystem name, and the tail denotes the path to + an executable implementing it. + ''; + }; + }; ntp = { diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix index fab5f8fe537a..065e8cda08ae 100644 --- a/upstart-jobs/default.nix +++ b/upstart-jobs/default.nix @@ -139,6 +139,16 @@ let allowSFTP = config.services.sshd.allowSFTP; }) + # GNU lshd SSH2 deamon. + ++ optional config.services.lshd.enable + (import ../upstart-jobs/lshd.nix { + inherit (pkgs) lib; + inherit (pkgs) lsh; + inherit (pkgs.xorg) xauth; + inherit nssModulesPath; + lshdConfig = config.services.lshd; + }) + # NTP daemon. ++ optional config.services.ntp.enable (import ../upstart-jobs/ntpd.nix { diff --git a/upstart-jobs/lshd.nix b/upstart-jobs/lshd.nix new file mode 100644 index 000000000000..b85eeb038c74 --- /dev/null +++ b/upstart-jobs/lshd.nix @@ -0,0 +1,53 @@ +{lsh, xauth, lib, nssModulesPath, lshdConfig}: + +with builtins; +with lib; + +{ + name = "lshd"; + + job = with lshdConfig; '' +description "GNU lshd SSH2 daemon" + +start on network-interfaces/started +stop on network-interfaces/stop + +env LD_LIBRARY_PATH=${nssModulesPath} + +start script + test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh + test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh + + if ! test -f /var/spool/lsh/yarrow-seed-file + then + ${lsh}/bin/lsh-make-seed -o /var/spool/lsh/yarrow-seed-file + fi + + if ! test -f "${hostKey}" + then + ${lsh}/bin/lsh-keygen --server | \ + ${lsh}/bin/lsh-writekey --server -o "${hostKey}" + fi +end script + +respawn ${lsh}/sbin/lshd --daemonic \ + -p ${toString portNumber} \ + ${if interfaces == [] then "" + else (concatStrings (map (i: "--interface=\"${i}\"") + interfaces))} \ + -h "${hostKey}" \ + ${if !syslog then "--no-syslog" else ""} \ + ${if !passwordAuthentication then "--no-password" else ""} \ + ${if !publicKeyAuthentication then "--no-publickey" else ""} \ + ${if rootLogin then "--root-login" else ""} \ + ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ + ${if srpKeyExchange then "--srp-keyexchange" else "" } \ + ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ + ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ + --subsystems=${concatStringsSep "," + (map (pair: (head pair) + "=" + + (head (tail pair))) + subsystems)} +''; + +}