3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

43 commits

Author SHA1 Message Date
Eelco Dolstra d9d6a92d5e sshd.nix: Ensure global config goes before user Match blocks
Hopefully fixes #13393.
2016-02-23 18:03:33 +01:00
Eelco Dolstra a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
Robin Gloster 88292fdf09 jobs -> systemd.services 2016-01-07 06:39:06 +00:00
Eelco Dolstra 14321ae243 Rename users.extraUsers -> users.users, users.extraGroup -> users.groups
The "extra" part hasn't made sense for years.
2015-09-02 17:34:23 +02:00
Eelco Dolstra 287c08d8a3 Rename services.openssh.knownHosts -> programs.ssh.knownHosts
This option configures the SSH client, not the server.
2015-08-27 15:32:46 +02:00
Eelco Dolstra 401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
Eelco Dolstra 1f2eef5ae9 openssh: Re-enable DSA client keys
This was broken by a8eb2a6a81.
2015-08-18 13:11:45 +02:00
Eelco Dolstra a5b83c3573 sshd: Use RSA and ED25519 host keys
Closes #7939.
2015-07-27 20:30:10 +02:00
Eelco Dolstra 7b38cb699d services.openssh.knownHosts.*.publicKey: Update description and add example
Note that it's no longer allowed to have multiple public keys
separated by a newline.
2015-07-13 16:21:57 +02:00
Eelco Dolstra 6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
Peter Simons 86d299bc6e nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
The man page for ssh-keygen(1) has a section "MODULI GENERATION" that describes
how to generate your own moduli file. The following script might also be helpful:

 | #! /usr/bin/env bash
 |
 | moduliFiles=()
 |
 | generateModuli()
 | {
 |   ssh-keygen -G "moduli-$1.candidates" -b "$1"
 |   ssh-keygen -T "moduli-$1" -f "moduli-$1.candidates"
 |   rm "moduli-$1.candidates"
 | }
 |
 | for (( i=0 ; i <= 16 ; ++i )); do
 |   let bitSize="2048 + i * 128"
 |   generateModuli "$bitSize" &
 |   moduliFiles+=( "moduli-$bitSize" )
 | done
 | wait
 |
 | echo >moduli "# Time Type Tests Tries Size Generator Modulus"
 | cat >>moduli "${moduliFiles[@]}"
 | rm "${moduliFiles[@]}"

Note that generating moduli takes a long time, i.e. several hours on a fast
machine!

This patch resolves https://github.com/NixOS/nixpkgs/pull/5870.
2015-05-22 16:28:45 +02:00
Eelco Dolstra fc8011ad8d Ensure that nscd, sshd are created as system users
c0f70b4694 removed the fixed uid
assignment, but then it becomes necessary to set isSystemUser.

http://hydra.nixos.org/build/22182588
2015-05-13 16:23:36 +02:00
Nicolas B. Pierron 7585d42d2b Fix #7354 - Accept _module attributes added to every submodule. 2015-04-20 23:58:32 +02:00
Eelco Dolstra c0f70b4694 Remove fixed uids for nscd, sshd
These services don't create files on disk, let alone on a network
filesystem, so they don't really need a fixed uid. And this also gets
rid of a warning coming from <= 14.12 systems.
2015-04-19 22:06:45 +02:00
Jan Malakhovski 5c6d86540b nixos: use types.enum instead of ad-hoc check in sshd service 2015-03-26 12:43:42 +00:00
Eelco Dolstra d31202fba2 sshd: Enable seccomp sandboxing 2015-03-09 11:27:19 +01:00
Eelco Dolstra b70bd0879b sshd: Generate a ed25519 host key 2015-02-23 17:00:07 +01:00
Vladimír Čunát 72d2d59cd4 /etc/ssh/ssh_known_hosts: refactor and fix #5612
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.

CC recent updaters: @aszlig, @rickynils.
2015-01-11 22:14:25 +01:00
aszlig 2249474632
nixos/sshd: Fix build if knownHosts is empty.
Introduced by 77ff279f27.

Build failure: https://headcounter.org/hydra/build/583158/nixlog/5/raw

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 19:03:41 +01:00
Rickard Nilsson 77ff279f27 nixos/services.openssh: Allow knownHost keys to have multiple lines.
Useful for adding several public keys of different types for the same host.
2014-11-27 18:40:21 +01:00
William A. Kennington III bab5efd237 nixos/ssh: Allow user to configure the package that provides ssh/sshd 2014-09-11 22:07:39 -07:00
Vladimir Still 13bbce96c3 sshd: Fix typo in assetion. 2014-09-02 10:06:04 +02:00
Vladimir Still a2394f09c7 sshd: Add note about listening on port 22 to listenAddresses. 2014-09-01 22:56:35 +02:00
Vladimir Still ac39d839c3 sshd: Add note about firewall and listenAddresses. 2014-09-01 22:56:35 +02:00
Vladimir Still e12337156c sshd: Allow to specify ListenAddress. 2014-09-01 22:56:35 +02:00
Eelco Dolstra 4668f37444 Fix NixOS evaluation on i686-linux 2014-08-09 17:19:09 +02:00
aszlig da32f052b1
Revert "nixos/sshd: drop mode from auth keys file".
This reverts commit a3331eb87b.

See https://github.com/NixOS/nixpkgs/issues/2559#issuecomment-47313334
for a description why this is not a good idea.

I guess it's better to implement a sane way to remove all files in
authorized_keys.d, especially because it is also backwards-compatible.

Reopens #2559.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-27 09:22:07 +02:00
Luca Bruno a3331eb87b nixos/sshd: drop mode from auth keys file. Closes #2559 2014-06-26 10:15:34 +02:00
William A. Kennington III 1396f624f4 sshd: Fix typing for options which take paths 2014-05-01 16:33:44 -05:00
William A. Kennington III 78c33177ce ssh: Support knownHost public keys as strings 2014-05-01 16:21:25 -05:00
Eelco Dolstra 03d9e5cda0 sshd: Add support for socket activation
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
2014-04-22 17:38:54 +02:00
Eelco Dolstra baffee02b8 sshd: Always start a session
Partially reverts 70a4c7b1df. Whether to
start a session is independent of whether we're running in a
container.
2014-04-22 17:38:53 +02:00
Eelco Dolstra 465d6ff572 Set $LOCALE_ARCHIVE in all systemd units
This variable used to be inherited implicitly from the stage-2 script,
but systemd now clears the environment. So we need to set it
explicitly.
2014-04-18 19:04:45 +02:00
Eelco Dolstra 29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
Jaka Hudoklin 70a4c7b1df nixos: fix linux containers (systemd-nspawn, lxc, lxc-libvirt)
- Make dhcp work, use dhcpcd without udev in container
- Make login shell work, patch getty to not wait for /dev/tty0
- Make ssh work, sshd/pam do not start session
2014-03-24 23:59:50 +01:00
Eelco Dolstra 785eaf2cea Add some primops to lib 2013-11-12 13:48:30 +01:00
Eelco Dolstra 444a4fb793 Loosen the type of SSH key files 2013-11-01 00:34:31 +01:00
Eelco Dolstra 408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra 70a2c54527 Strictly check the arguments to mkOption
And fix various instances of bad arguments.
2013-10-30 15:35:09 +01:00
Eelco Dolstra a3777ba4f9 Remove dependencies on the Nixpkgs location 2013-10-23 20:08:23 +02:00
Eelco Dolstra ae74b0ae58 sshd: Remove the usePAM option
Sshd *must* use PAM because we depend on it for proper session
management.  The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
2013-10-15 15:05:49 +02:00
Eelco Dolstra a2c820c678 Turn security.pam.services into an attribute set
That is, you can say

  security.pam.services.sshd = { options... };

instead of

  security.pam.services = [ { name = "sshd"; options... } ];

making it easier to override PAM settings from other modules.
2013-10-15 14:47:51 +02:00
Eelco Dolstra 5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00