3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

118 commits

Author SHA1 Message Date
Robert Hensing c4a5efa965
Merge pull request #155522 from Julow/single_line_str
types.singleLineStr: strings that don't contain '\n'
2022-01-21 17:39:13 +01:00
Jules Aguillon df590070b0 types.singleLineStr: strings that don't contain '\n'
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.

The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:

    restricted_ssh_keys = command: keys:
      let
        prefix = ''
          command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
        '';
      in map (key: "${prefix} ${key}") keys;

The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.

This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:

    ''
      command="...",options...
      MY_KEY
    ''

This is hard to debug and might be dangerous. This is now caught at
build time.
2022-01-18 22:06:34 +01:00
Daniel Frank 6d985ef174
openssh: Rename option, old option is deprecated upstream 2022-01-18 13:58:29 +01:00
Ben Wolsieffer f5e0f2932e sshd: disable trigger limit for systemd socket
When startWhenNeeded is enabled, a brute force attack on sshd will cause
systemd to shut down the socket, locking out all SSH access to the machine.
Setting TriggerLimitIntervalSec to 0 disables this behavior.
2022-01-08 19:48:37 -05:00
Matthias Treydte 97e61a071d nixos/ssh: take care not to accept empty host key files
In case of a power loss shortly after first boot,
the host keys gernerated by ssh-keygen could exist
in the file system but have zero size, preventing
sshd from starting up.

This commit changes the behaviour to generate host
keys if the file either does not exist or has zero
size, fixing the problem on the next boot.

Thanks to @SuperSandro2000 for figuring this out.
2021-10-12 12:25:38 +02:00
Guillaume Girol bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Sandro 991eaaa024
Merge pull request #133607 from SuperSandro2000/SuperSandro2000-patch-1 2021-08-12 18:18:48 +02:00
Sandro 0a31b7df57
nixos/ssh: cleanup UseDNS setting 2021-08-12 12:13:10 +02:00
Sandro cbf6bbac91
nixos/ssh: cleanup X11Forwarding setting 2021-08-12 01:00:50 +02:00
gwitmond bbe66636f4
nixos/sshd: add -D flag to prevent forking into a separate process (#122844)
It makes it easier for init-processes to monitor correct startup and liveness.
2021-07-01 00:43:54 +02:00
Niklas Hambüchen a48fea4c5e sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)

Also update description to the wording of the sshd_config man page.

`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.

The docs are updated accordingly.
2021-06-23 01:49:11 +02:00
Robert Hensing dab747106e nixos/ssh: Document authorizedKeysFiles properly 2021-06-15 12:23:09 +02:00
Robert Hensing 8352cc9a23 nixos/ssh: Add an example of verbatim keys
This confused someone on SO.
2021-06-15 11:51:41 +02:00
Maximilian Bosch 951e6988ac
Merge pull request #104543 from chkno/sftpServerExecutable
nixos/sshd: Option to set the sftp server executable
2021-06-04 10:16:20 +02:00
Fritz Otlinghaus 295de63e90
nixos/lshd: add types 2021-01-31 11:27:20 +01:00
volth bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
adisbladis ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Scott Worley 13dbcb3f19 nixos/sshd: Option to set the sftpServerExecutable 2020-11-21 16:06:09 -08:00
Masanori Ogino 8875db4976 nixos/sshd: update kexAlgorithms, fix links
The `curve25519-sha256` key exchange method is defined in RFC 8731 that
is identical to curve25519-sha256@libssh.org. OpenSSH supports the
method since version 7.4, released on 2016-12-19. It is literally a
violation of the "both in Secure Secure Shell and Mozilla guidelines"
rule, but it provides essentially the same but a future-proof default.

Also, links to the Mozilla OpenSSH guidelines are updated to refer to
the current place.

Signed-off-by: Masanori Ogino <167209+omasanori@users.noreply.github.com>
2020-10-21 07:39:50 +09:00
Silvan Mosberger f822080b05
Merge pull request #68887 from teto/ssh_banner
services.openssh: add banner item
2020-09-06 22:15:25 +02:00
Matthieu Coudron 1835fc455b services.openssh: add banner
Add the possibility to setup a banner.

Co-authored-by: Silvan Mosberger <github@infinisil.com>
2020-09-06 21:32:20 +02:00
rnhmjoj 20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Dominik Xaver Hörl c10d82358f treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
Dominik Xaver Hörl 0412bde942 treewide: add bool type to enable options, or make use of mkEnableOption
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Frederik Rietdijk 518d5be4f5 ssh validationPackage is a single value, not a list 2020-04-05 13:04:25 +02:00
adisbladis c00777042f
Merge pull request #82620 from aanderse/ssh-silent
nixos/ssh: silence ssh-keygen during configuration validation
2020-03-15 01:21:38 +00:00
Aaron Andersen f383fa344e nixos/sshd: only include AuthorizedKeysCommand and AuthorizedKeysCommandUser options if explicitly set 2020-03-14 19:50:11 -04:00
Aaron Andersen f5951f520c nixos/ssh: silence ssh-keygen during configuration validation 2020-03-14 19:37:30 -04:00
Aaron Andersen dbe59eca84 nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options 2020-03-12 21:00:12 -04:00
Silvan Mosberger 4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
danbst 0f8596ab3f mass replace "flip map -> forEach"
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
2019-08-05 14:03:38 +03:00
danbst 91bb646e98 Revert "mass replace "flip map -> foreach""
This reverts commit 3b0534310c.
2019-08-05 14:01:45 +03:00
danbst 3b0534310c mass replace "flip map -> foreach"
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
2019-07-14 13:46:10 +03:00
Samuel Dionne-Riel 861bbbcb3c nixos/sshd: fixes validation for cross-compilation
See https://github.com/NixOS/nixpkgs/pull/62853
2019-06-15 00:56:42 -04:00
Franz Pletz eb7c11d552
Merge pull request #58718 from Ma27/validate-ssh-configs
nixos/sshd: validate ssh configs during build
2019-05-24 18:30:04 +00:00
Maximilian Bosch 00a5222499
nixos/sshd: validate ssh configs during build
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).

When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.

This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.

The original attempt was done in #56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
2019-05-24 20:16:53 +02:00
Aneesh Agrawal 24ae4ae604 nixos/sshd: Remove obsolete Protocol options (#59136)
OpenSSH removed server side support for the v.1 Protocol
in version 7.4: https://www.openssh.com/txt/release-7.4,
making this option a no-op.
2019-04-08 09:49:31 +02:00
Nikita Uvarov 131e31cd1b
sshd: fix startWhenNeeded and listenAddresses combination
Previously, if startWhenNeeded was set, listenAddresses option was
ignored and daemon was listening on all interfaces.
Fixes #56325.
2019-02-25 00:51:58 +01:00
danbst 27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
ajs124 325e314aae
sshd: Add restartTrigger for sshd_config
Co-Authored-By: Franz Pletz <fpletz@fnordicwalking.de>
2019-01-02 20:11:01 +01:00
Daniel Rutz c98a7bf8f2 nixos/sshd: Use port type instead of int
This change leads to an additional check of the port number at build time, making invalid port values impossible.
2018-10-18 23:42:20 +02:00
volth 2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Franz Pletz ea9078b76b
Merge pull request #41745 from rvolosatovs/fix/sshd
nixos: Add more ssh-keygen params
2018-07-14 16:29:46 +00:00
Florian Klink fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Roman Volosatovs 1846a85b77
sshd: Add issue references to services.openssh.authorizedKeysFiles 2018-06-12 18:30:53 +02:00
Roman Volosatovs 9953edaf75
sshd: Support more ssh-keygen parameters 2018-06-12 18:26:20 +02:00
Izorkin 9ef30fd56a sshd: change location of config file (#41744)
create symlink /etc/ssh/sshd_config
2018-06-10 01:39:06 +02:00
Izorkin ad11b960e9 sshd: add custom options 2018-05-19 11:52:00 +03:00
Silvan Mosberger ee3fd4ad53
nixos/sshd: add options for kexAlgorithms, ciphers and MACs 2018-04-20 19:05:19 +02:00
Eelco Dolstra 6bc889205a
sshd: Remove UsePrivilegeSeparation option
This option is deprecated, see https://www.openssh.com/txt/release-7.5.
2018-02-08 13:32:55 +01:00