gwitmond
bbe66636f4
nixos/sshd: add -D flag to prevent forking into a separate process ( #122844 )
...
It makes it easier for init-processes to monitor correct startup and liveness.
2021-07-01 00:43:54 +02:00
Niklas Hambüchen
a48fea4c5e
sshd service: Default to INFO logLevel (upstream default).
...
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)
Also update description to the wording of the sshd_config man page.
`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.
The docs are updated accordingly.
2021-06-23 01:49:11 +02:00
Robert Hensing
dab747106e
nixos/ssh: Document authorizedKeysFiles properly
2021-06-15 12:23:09 +02:00
Robert Hensing
8352cc9a23
nixos/ssh: Add an example of verbatim keys
...
This confused someone on SO.
2021-06-15 11:51:41 +02:00
Maximilian Bosch
951e6988ac
Merge pull request #104543 from chkno/sftpServerExecutable
...
nixos/sshd: Option to set the sftp server executable
2021-06-04 10:16:20 +02:00
Fritz Otlinghaus
295de63e90
nixos/lshd: add types
2021-01-31 11:27:20 +01:00
volth
bc0d605cf1
treewide: fix double quoted strings in meta.description
...
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
adisbladis
ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
...
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Scott Worley
13dbcb3f19
nixos/sshd: Option to set the sftpServerExecutable
2020-11-21 16:06:09 -08:00
Masanori Ogino
8875db4976
nixos/sshd: update kexAlgorithms, fix links
...
The `curve25519-sha256` key exchange method is defined in RFC 8731 that
is identical to curve25519-sha256@libssh.org . OpenSSH supports the
method since version 7.4, released on 2016-12-19. It is literally a
violation of the "both in Secure Secure Shell and Mozilla guidelines"
rule, but it provides essentially the same but a future-proof default.
Also, links to the Mozilla OpenSSH guidelines are updated to refer to
the current place.
Signed-off-by: Masanori Ogino <167209+omasanori@users.noreply.github.com>
2020-10-21 07:39:50 +09:00
Silvan Mosberger
f822080b05
Merge pull request #68887 from teto/ssh_banner
...
services.openssh: add banner item
2020-09-06 22:15:25 +02:00
Matthieu Coudron
1835fc455b
services.openssh: add banner
...
Add the possibility to setup a banner.
Co-authored-by: Silvan Mosberger <github@infinisil.com>
2020-09-06 21:32:20 +02:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf
2020-09-02 00:42:50 +02:00
Dominik Xaver Hörl
c10d82358f
treewide: add types to boolean / enable options or make use of mkEnableOption
2020-04-27 09:32:01 +02:00
Dominik Xaver Hörl
0412bde942
treewide: add bool type to enable options, or make use of mkEnableOption
...
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Frederik Rietdijk
518d5be4f5
ssh validationPackage is a single value, not a list
2020-04-05 13:04:25 +02:00
adisbladis
c00777042f
Merge pull request #82620 from aanderse/ssh-silent
...
nixos/ssh: silence ssh-keygen during configuration validation
2020-03-15 01:21:38 +00:00
Aaron Andersen
f383fa344e
nixos/sshd: only include AuthorizedKeysCommand and AuthorizedKeysCommandUser options if explicitly set
2020-03-14 19:50:11 -04:00
Aaron Andersen
f5951f520c
nixos/ssh: silence ssh-keygen during configuration validation
2020-03-14 19:37:30 -04:00
Aaron Andersen
dbe59eca84
nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options
2020-03-12 21:00:12 -04:00
Silvan Mosberger
4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
...
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
danbst
0f8596ab3f
mass replace "flip map -> forEach"
...
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
2019-08-05 14:03:38 +03:00
danbst
91bb646e98
Revert "mass replace "flip map -> foreach""
...
This reverts commit 3b0534310c
.
2019-08-05 14:01:45 +03:00
danbst
3b0534310c
mass replace "flip map -> foreach"
...
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
2019-07-14 13:46:10 +03:00
Samuel Dionne-Riel
861bbbcb3c
nixos/sshd: fixes validation for cross-compilation
...
See https://github.com/NixOS/nixpkgs/pull/62853
2019-06-15 00:56:42 -04:00
Franz Pletz
eb7c11d552
Merge pull request #58718 from Ma27/validate-ssh-configs
...
nixos/sshd: validate ssh configs during build
2019-05-24 18:30:04 +00:00
Maximilian Bosch
00a5222499
nixos/sshd: validate ssh configs during build
...
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).
When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.
This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.
The original attempt was done in #56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42 .
2019-05-24 20:16:53 +02:00
Aneesh Agrawal
24ae4ae604
nixos/sshd: Remove obsolete Protocol options ( #59136 )
...
OpenSSH removed server side support for the v.1 Protocol
in version 7.4: https://www.openssh.com/txt/release-7.4 ,
making this option a no-op.
2019-04-08 09:49:31 +02:00
Nikita Uvarov
131e31cd1b
sshd: fix startWhenNeeded and listenAddresses combination
...
Previously, if startWhenNeeded was set, listenAddresses option was
ignored and daemon was listening on all interfaces.
Fixes #56325 .
2019-02-25 00:51:58 +01:00
danbst
27982b408e
types.optionSet: deprecate and remove last usages
2019-01-31 00:41:10 +02:00
ajs124
325e314aae
sshd: Add restartTrigger for sshd_config
...
Co-Authored-By: Franz Pletz <fpletz@fnordicwalking.de>
2019-01-02 20:11:01 +01:00
Daniel Rutz
c98a7bf8f2
nixos/sshd: Use port type instead of int
...
This change leads to an additional check of the port number at build time, making invalid port values impossible.
2018-10-18 23:42:20 +02:00
volth
2e979e8ceb
[bot] nixos/*: remove unused arguments in lambdas
2018-07-20 20:56:59 +00:00
Franz Pletz
ea9078b76b
Merge pull request #41745 from rvolosatovs/fix/sshd
...
nixos: Add more ssh-keygen params
2018-07-14 16:29:46 +00:00
Florian Klink
fff5923686
nixos/modules: users.(extraUsers|extraGroup->users|group)
2018-06-30 03:02:58 +02:00
Roman Volosatovs
1846a85b77
sshd: Add issue references to services.openssh.authorizedKeysFiles
2018-06-12 18:30:53 +02:00
Roman Volosatovs
9953edaf75
sshd: Support more ssh-keygen parameters
2018-06-12 18:26:20 +02:00
Izorkin
9ef30fd56a
sshd: change location of config file ( #41744 )
...
create symlink /etc/ssh/sshd_config
2018-06-10 01:39:06 +02:00
Izorkin
ad11b960e9
sshd: add custom options
2018-05-19 11:52:00 +03:00
Silvan Mosberger
ee3fd4ad53
nixos/sshd: add options for kexAlgorithms, ciphers and MACs
2018-04-20 19:05:19 +02:00
Eelco Dolstra
6bc889205a
sshd: Remove UsePrivilegeSeparation option
...
This option is deprecated, see https://www.openssh.com/txt/release-7.5 .
2018-02-08 13:32:55 +01:00
Leon Schuermann
c61a9dfd2e
sshd: provide option to disable firewall altering
2018-01-18 22:55:28 +08:00
Dmitry Moskowski
ed26bc5931
sshd: Start after network target
2017-12-24 14:57:14 +00:00
Tim Steinbach
48252b15b9
sshd: Remove ripemd160 MACs
...
They are invalid for our OpenSSH
2017-11-21 09:36:51 -05:00
jeaye
2a8bd9e2a1
nixos/ssh: Harden config defaults
2017-11-16 20:25:37 -08:00
jeaye
ec80c92825
nixos/ssh: Remove support for old host keys
2017-11-16 20:25:22 -08:00
Peter Hoeg
07bc859e9a
Revert "ssh: deprecate use of old DSA keys"
...
This reverts commit 65b73d71cb
.
2017-10-14 14:42:49 +08:00
Peter Hoeg
65b73d71cb
ssh: deprecate use of old DSA keys
...
They are not safe and shouldn't be used.
2017-10-14 14:38:04 +08:00
Franz Pletz
dc08dcf6e7
ssh service: add sftpFlags option
2017-09-18 21:52:07 +02:00
Joachim Schiele
3d52203ab2
sshd.nix: Added nixops usage warning of openssh.authorizedKeys.keys usage
2017-06-22 11:50:09 +02:00