{ config, lib, pkgs, ... }: with lib; let inherit (pkgs) lsh; cfg = config.services.lshd; in { ###### interface options = { services.lshd = { enable = mkOption { default = false; description = '' Whether to enable the GNU lshd SSH2 daemon, which allows secure remote login. ''; }; portNumber = mkOption { default = 22; description = '' The port on which to listen for connections. ''; }; interfaces = mkOption { default = []; description = '' List of network interfaces where listening for connections. When providing the empty list, `[]', lshd listens on all network interfaces. ''; example = [ "localhost" "1.2.3.4:443" ]; }; hostKey = mkOption { default = "/etc/lsh/host-key"; description = '' Path to the server's private key. Note that this key must have been created, e.g., using "lsh-keygen --server | lsh-writekey --server", so that you can run lshd. ''; }; syslog = mkOption { default = true; description = ''Whether to enable syslog output.''; }; passwordAuthentication = mkOption { default = true; description = ''Whether to enable password authentication.''; }; publicKeyAuthentication = mkOption { default = true; description = ''Whether to enable public key authentication.''; }; rootLogin = mkOption { default = false; description = ''Whether to enable remote root login.''; }; loginShell = mkOption { default = null; description = '' If non-null, override the default login shell with the specified value. ''; example = "/nix/store/xyz-bash-10.0/bin/bash10"; }; srpKeyExchange = mkOption { default = false; description = '' Whether to enable SRP key exchange and user authentication. ''; }; tcpForwarding = mkOption { default = true; description = ''Whether to enable TCP/IP forwarding.''; }; x11Forwarding = mkOption { default = true; description = ''Whether to enable X11 forwarding.''; }; subsystems = mkOption { default = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; description = '' List of subsystem-path pairs, where the head of the pair denotes the subsystem name, and the tail denotes the path to an executable implementing it. ''; }; }; }; ###### implementation config = mkIf cfg.enable { jobs.lshd = { description = "GNU lshd SSH2 daemon"; startOn = "started network-interfaces"; stopOn = "stopping network-interfaces"; environment = { LD_LIBRARY_PATH = config.system.nssModules.path; }; preStart = '' test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh if ! test -f /var/spool/lsh/yarrow-seed-file then # XXX: It would be nice to provide feedback to the # user when this fails, so that they can retry it # manually. ${lsh}/bin/lsh-make-seed --sloppy \ -o /var/spool/lsh/yarrow-seed-file fi if ! test -f "${cfg.hostKey}" then ${lsh}/bin/lsh-keygen --server | \ ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" fi ''; exec = with cfg; '' ${lsh}/sbin/lshd --daemonic \ --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ -p ${toString portNumber} \ ${if interfaces == [] then "" else (concatStrings (map (i: "--interface=\"${i}\"") interfaces))} \ -h "${hostKey}" \ ${if !syslog then "--no-syslog" else ""} \ ${if passwordAuthentication then "--password" else "--no-password" } \ ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ ${if rootLogin then "--root-login" else "--no-root-login" } \ ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ --subsystems=${concatStringsSep "," (map (pair: (head pair) + "=" + (head (tail pair))) subsystems)} ''; }; security.pam.services.lshd = {}; }; }