From 7b0071781d830d01b5d89582e88fd25ff5ef3ff1 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Fri, 6 Mar 2009 12:26:10 +0000 Subject: [PATCH] Convert "lshd" GNU ssh daemon svn path=/nixos/branches/fix-style/; revision=14371 --- system/options.nix | 93 +---------------- upstart-jobs/default.nix | 10 -- upstart-jobs/lshd.nix | 209 ++++++++++++++++++++++++++++++--------- 3 files changed, 166 insertions(+), 146 deletions(-) diff --git a/system/options.nix b/system/options.nix index 6018128459e2..f952be1ddb1d 100644 --- a/system/options.nix +++ b/system/options.nix @@ -480,98 +480,6 @@ in }; - lshd = { - - enable = mkOption { - default = false; - description = '' - Whether to enable the GNU lshd SSH2 daemon, which allows - secure remote login. - ''; - }; - - portNumber = mkOption { - default = 22; - description = '' - The port on which to listen for connections. - ''; - }; - - interfaces = mkOption { - default = []; - description = '' - List of network interfaces where listening for connections. - When providing the empty list, `[]', lshd listens on all - network interfaces. - ''; - example = [ "localhost" "1.2.3.4:443" ]; - }; - - hostKey = mkOption { - default = "/etc/lsh/host-key"; - description = '' - Path to the server's private key. Note that this key must - have been created, e.g., using "lsh-keygen --server | - lsh-writekey --server", so that you can run lshd. - ''; - }; - - syslog = mkOption { - default = true; - description = ''Whether to enable syslog output.''; - }; - - passwordAuthentication = mkOption { - default = true; - description = ''Whether to enable password authentication.''; - }; - - publicKeyAuthentication = mkOption { - default = true; - description = ''Whether to enable public key authentication.''; - }; - - rootLogin = mkOption { - default = false; - description = ''Whether to enable remote root login.''; - }; - - loginShell = mkOption { - default = null; - description = '' - If non-null, override the default login shell with the - specified value. - ''; - example = "/nix/store/xyz-bash-10.0/bin/bash10"; - }; - - srpKeyExchange = mkOption { - default = false; - description = '' - Whether to enable SRP key exchange and user authentication. - ''; - }; - - tcpForwarding = mkOption { - default = true; - description = ''Whether to enable TCP/IP forwarding.''; - }; - - x11Forwarding = mkOption { - default = true; - description = ''Whether to enable X11 forwarding.''; - }; - - subsystems = mkOption { - default = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; - description = '' - List of subsystem-path pairs, where the head of the pair - denotes the subsystem name, and the tail denotes the path to - an executable implementing it. - ''; - }; - }; - ntp = { enable = mkOption { @@ -1656,6 +1564,7 @@ in (import ../upstart-jobs/syslogd.nix) (import ../upstart-jobs/dhcpd.nix) (import ../upstart-jobs/sshd.nix) + (import ../upstart-jobs/lshd.nix) # GNU lshd SSH2 deamon (TODO: does neither start nor generate seed file ?) # nix (import ../upstart-jobs/nix.nix) # nix options and daemon diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix index f2f48d0e2824..0d8d2987d2ce 100644 --- a/upstart-jobs/default.nix +++ b/upstart-jobs/default.nix @@ -141,16 +141,6 @@ let inherit config; }) - # GNU lshd SSH2 deamon. - ++ optional config.services.lshd.enable - (import ../upstart-jobs/lshd.nix { - inherit (pkgs) lib; - inherit (pkgs) lsh; - inherit (pkgs.xorg) xauth; - inherit nssModulesPath; - lshdConfig = config.services.lshd; - }) - # GNUnet daemon. ++ optional config.services.gnunet.enable (import ../upstart-jobs/gnunet.nix { diff --git a/upstart-jobs/lshd.nix b/upstart-jobs/lshd.nix index 0a13d9ba7ee7..9db99bce493f 100644 --- a/upstart-jobs/lshd.nix +++ b/upstart-jobs/lshd.nix @@ -1,54 +1,175 @@ -{lsh, xauth, lib, nssModulesPath, lshdConfig}: +{pkgs, config, ...}: -with builtins; -with lib; +###### interface +let + inherit (pkgs.lib) mkOption mkIf; -{ - name = "lshd"; - - job = with lshdConfig; '' -description "GNU lshd SSH2 daemon" + options = { + services = { + lshd = { -start on network-interfaces/started -stop on network-interfaces/stop + enable = mkOption { + default = false; + description = '' + Whether to enable the GNU lshd SSH2 daemon, which allows + secure remote login. + ''; + }; -env LD_LIBRARY_PATH=${nssModulesPath} + portNumber = mkOption { + default = 22; + description = '' + The port on which to listen for connections. + ''; + }; -start script - test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh - test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh + interfaces = mkOption { + default = []; + description = '' + List of network interfaces where listening for connections. + When providing the empty list, `[]', lshd listens on all + network interfaces. + ''; + example = [ "localhost" "1.2.3.4:443" ]; + }; - if ! test -f /var/spool/lsh/yarrow-seed-file - then - ${lsh}/bin/lsh-make-seed -o /var/spool/lsh/yarrow-seed-file - fi + hostKey = mkOption { + default = "/etc/lsh/host-key"; + description = '' + Path to the server's private key. Note that this key must + have been created, e.g., using "lsh-keygen --server | + lsh-writekey --server", so that you can run lshd. + ''; + }; - if ! test -f "${hostKey}" - then - ${lsh}/bin/lsh-keygen --server | \ - ${lsh}/bin/lsh-writekey --server -o "${hostKey}" - fi -end script + syslog = mkOption { + default = true; + description = ''Whether to enable syslog output.''; + }; -respawn ${lsh}/sbin/lshd --daemonic \ - --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ - -p ${toString portNumber} \ - ${if interfaces == [] then "" - else (concatStrings (map (i: "--interface=\"${i}\"") - interfaces))} \ - -h "${hostKey}" \ - ${if !syslog then "--no-syslog" else ""} \ - ${if passwordAuthentication then "--password" else "--no-password" } \ - ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ - ${if rootLogin then "--root-login" else "--no-root-login" } \ - ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ - ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ - ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ - ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ - --subsystems=${concatStringsSep "," - (map (pair: (head pair) + "=" + - (head (tail pair))) - subsystems)} -''; + passwordAuthentication = mkOption { + default = true; + description = ''Whether to enable password authentication.''; + }; + + publicKeyAuthentication = mkOption { + default = true; + description = ''Whether to enable public key authentication.''; + }; + + rootLogin = mkOption { + default = false; + description = ''Whether to enable remote root login.''; + }; + + loginShell = mkOption { + default = null; + description = '' + If non-null, override the default login shell with the + specified value. + ''; + example = "/nix/store/xyz-bash-10.0/bin/bash10"; + }; + + srpKeyExchange = mkOption { + default = false; + description = '' + Whether to enable SRP key exchange and user authentication. + ''; + }; + + tcpForwarding = mkOption { + default = true; + description = ''Whether to enable TCP/IP forwarding.''; + }; + + x11Forwarding = mkOption { + default = true; + description = ''Whether to enable X11 forwarding.''; + }; + + subsystems = mkOption { + default = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; + description = '' + List of subsystem-path pairs, where the head of the pair + denotes the subsystem name, and the tail denotes the path to + an executable implementing it. + ''; + }; + }; + }; + }; +in + +###### implementation + +let + + inherit (pkgs) lsh; + inherit (pkgs.lib) concatStrings concatStringsSep head tail; + + lshdConfig = config.services.lshd; + + nssModules = config.system.nssModules.list; + + nssModulesPath = config.system.nssModules.path; +in + +mkIf config.services.lshd.enable { + require = [ + options + ]; + + services = { + extraJobs = [{ + name = "lshd"; + + job = with lshdConfig; '' + description "GNU lshd SSH2 daemon" + + start on network-interfaces/started + stop on network-interfaces/stop + + env LD_LIBRARY_PATH=${nssModulesPath} + + start script + test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh + test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh + + if ! test -f /var/spool/lsh/yarrow-seed-file + the + ${lsh}/bin/lsh-make-seed -o /var/spool/lsh/yarrow-seed-file + fi + + if ! test -f "${hostKey}" + then + ${lsh}/bin/lsh-keygen --server | \ + ${lsh}/bin/lsh-writekey --server -o "${hostKey}" + fi + end script + + respawn ${lsh}/sbin/lshd --daemonic \ + --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ + -p ${toString portNumber} \ + ${if interfaces == [] then "" + else (concatStrings (map (i: "--interface=\"${i}\"") + interfaces))} \ + -h "${hostKey}" \ + ${if !syslog then "--no-syslog" else ""} \ + ${if passwordAuthentication then "--password" else "--no-password" } \ + ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ + ${if rootLogin then "--root-login" else "--no-root-login" } \ + ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ + ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ + ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ + ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ + --subsystems=${concatStringsSep "," + (map (pair: (head pair) + "=" + + (head (tail pair))) + subsystems)} + ''; +} + ]; + }; }