Commit Graph

171 Commits

Author SHA1 Message Date
talyz
ddf8182d5b
sshd: Don't remove symlinks to host key files
If a host key file is a symlink pointing to an as of yet non-existent
file, we don't want to remove it, but instead follow the symlink and
create the file at that location.

See https://github.com/nix-community/impermanence/issues/101 for more
information on the issue the original behavior creates.
2022-07-21 19:15:04 +02:00
Martin Weinelt
fa7ce6bc7f
nixos/openssh: Add sntrup761x25519-sha512 kexAlgo
Introduced in OpenSSH 9.0 it became the part of the default kexAlgorithm
selection, visibile in sshd_config(5).

It is also enabled by default in the OpenSSH client, as can be seen from

$ ssh -Q KexAlgorithms

Also clarifies that we use the referenced documents as the lower bound,
given that they haven't been updated for 5-7y.
2022-05-10 23:20:54 +02:00
Daniel Fullmer
ad38a2a646 nixos/ssh: remove empty host key files before generating new ones
In a previous PR [1], the conditional to generate a new host key file
was changed to also include the case when the file exists, but has zero
size. This could occur when the system is uncleanly powered off shortly
after first boot.

However, ssh-keygen prompts the user before overwriting a file. For
example:

$ touch hi
$ ssh-keygen -f hi
Generating public/private rsa key pair.
hi already exists.
Overwrite (y/n)?

So, lets just try to remove the empty file (if it exists) before running
ssh-keygen.

[1] https://github.com/NixOS/nixpkgs/pull/141258
2022-05-03 22:09:43 -07:00
Robert Hensing
c4a5efa965
Merge pull request #155522 from Julow/single_line_str
types.singleLineStr: strings that don't contain '\n'
2022-01-21 17:39:13 +01:00
Jules Aguillon
df590070b0 types.singleLineStr: strings that don't contain '\n'
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.

The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:

    restricted_ssh_keys = command: keys:
      let
        prefix = ''
          command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
        '';
      in map (key: "${prefix} ${key}") keys;

The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.

This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:

    ''
      command="...",options...
      MY_KEY
    ''

This is hard to debug and might be dangerous. This is now caught at
build time.
2022-01-18 22:06:34 +01:00
Daniel Frank
6d985ef174
openssh: Rename option, old option is deprecated upstream 2022-01-18 13:58:29 +01:00
Ben Wolsieffer
f5e0f2932e sshd: disable trigger limit for systemd socket
When startWhenNeeded is enabled, a brute force attack on sshd will cause
systemd to shut down the socket, locking out all SSH access to the machine.
Setting TriggerLimitIntervalSec to 0 disables this behavior.
2022-01-08 19:48:37 -05:00
Matthias Treydte
97e61a071d nixos/ssh: take care not to accept empty host key files
In case of a power loss shortly after first boot,
the host keys gernerated by ssh-keygen could exist
in the file system but have zero size, preventing
sshd from starting up.

This commit changes the behaviour to generate host
keys if the file either does not exist or has zero
size, fixing the problem on the next boot.

Thanks to @SuperSandro2000 for figuring this out.
2021-10-12 12:25:38 +02:00
Guillaume Girol
bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Sandro
991eaaa024
Merge pull request #133607 from SuperSandro2000/SuperSandro2000-patch-1 2021-08-12 18:18:48 +02:00
Sandro
0a31b7df57
nixos/ssh: cleanup UseDNS setting 2021-08-12 12:13:10 +02:00
Sandro
cbf6bbac91
nixos/ssh: cleanup X11Forwarding setting 2021-08-12 01:00:50 +02:00
gwitmond
bbe66636f4
nixos/sshd: add -D flag to prevent forking into a separate process (#122844)
It makes it easier for init-processes to monitor correct startup and liveness.
2021-07-01 00:43:54 +02:00
Niklas Hambüchen
a48fea4c5e sshd service: Default to INFO logLevel (upstream default).
The previous justification for using "VERBOSE" is incorrect,
because OpenSSH does use level INFO to log "which key was used
to log in" for sccessful logins, see:
6247812c76/auth.c (L323-L328)

Also update description to the wording of the sshd_config man page.

`fail2ban` needs, sshd to be "VERBOSE" to work well, thus
the `fail2ban` module sets it to "VERBOSE" if enabled.

The docs are updated accordingly.
2021-06-23 01:49:11 +02:00
Robert Hensing
dab747106e nixos/ssh: Document authorizedKeysFiles properly 2021-06-15 12:23:09 +02:00
Robert Hensing
8352cc9a23 nixos/ssh: Add an example of verbatim keys
This confused someone on SO.
2021-06-15 11:51:41 +02:00
Maximilian Bosch
951e6988ac
Merge pull request #104543 from chkno/sftpServerExecutable
nixos/sshd: Option to set the sftp server executable
2021-06-04 10:16:20 +02:00
Fritz Otlinghaus
295de63e90
nixos/lshd: add types 2021-01-31 11:27:20 +01:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
adisbladis
ba1fa0c604
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
2020-11-24 02:47:07 +01:00
Scott Worley
13dbcb3f19 nixos/sshd: Option to set the sftpServerExecutable 2020-11-21 16:06:09 -08:00
Masanori Ogino
8875db4976 nixos/sshd: update kexAlgorithms, fix links
The `curve25519-sha256` key exchange method is defined in RFC 8731 that
is identical to curve25519-sha256@libssh.org. OpenSSH supports the
method since version 7.4, released on 2016-12-19. It is literally a
violation of the "both in Secure Secure Shell and Mozilla guidelines"
rule, but it provides essentially the same but a future-proof default.

Also, links to the Mozilla OpenSSH guidelines are updated to refer to
the current place.

Signed-off-by: Masanori Ogino <167209+omasanori@users.noreply.github.com>
2020-10-21 07:39:50 +09:00
Silvan Mosberger
f822080b05
Merge pull request #68887 from teto/ssh_banner
services.openssh: add banner item
2020-09-06 22:15:25 +02:00
Matthieu Coudron
1835fc455b services.openssh: add banner
Add the possibility to setup a banner.

Co-authored-by: Silvan Mosberger <github@infinisil.com>
2020-09-06 21:32:20 +02:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Dominik Xaver Hörl
c10d82358f treewide: add types to boolean / enable options or make use of mkEnableOption 2020-04-27 09:32:01 +02:00
Dominik Xaver Hörl
0412bde942 treewide: add bool type to enable options, or make use of mkEnableOption
Add missing type information to manually specified enable options or replace them by mkEnableOption where appropriate.
2020-04-21 08:55:36 +02:00
Frederik Rietdijk
518d5be4f5 ssh validationPackage is a single value, not a list 2020-04-05 13:04:25 +02:00
adisbladis
c00777042f
Merge pull request #82620 from aanderse/ssh-silent
nixos/ssh: silence ssh-keygen during configuration validation
2020-03-15 01:21:38 +00:00
Aaron Andersen
f383fa344e nixos/sshd: only include AuthorizedKeysCommand and AuthorizedKeysCommandUser options if explicitly set 2020-03-14 19:50:11 -04:00
Aaron Andersen
f5951f520c nixos/ssh: silence ssh-keygen during configuration validation 2020-03-14 19:37:30 -04:00
Aaron Andersen
dbe59eca84 nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options 2020-03-12 21:00:12 -04:00
Silvan Mosberger
4ee3e8b21d
nixos/treewide: Move rename.nix imports to their respective modules
A centralized list for these renames is not good because:
- It breaks disabledModules for modules that have a rename defined
- Adding/removing renames for a module means having to find them in the
central file
- Merge conflicts due to multiple people editing the central file
2019-12-10 02:51:19 +01:00
danbst
0f8596ab3f mass replace "flip map -> forEach"
See `forEach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /forEach /g'
```
2019-08-05 14:03:38 +03:00
danbst
91bb646e98 Revert "mass replace "flip map -> foreach""
This reverts commit 3b0534310c.
2019-08-05 14:01:45 +03:00
danbst
3b0534310c mass replace "flip map -> foreach"
See `foreach`-introduction commit.
```
rg 'flip map ' --files-with-matches | xargs sed -i 's/flip map /foreach /g'
```
2019-07-14 13:46:10 +03:00
Samuel Dionne-Riel
861bbbcb3c nixos/sshd: fixes validation for cross-compilation
See https://github.com/NixOS/nixpkgs/pull/62853
2019-06-15 00:56:42 -04:00
Franz Pletz
eb7c11d552
Merge pull request #58718 from Ma27/validate-ssh-configs
nixos/sshd: validate ssh configs during build
2019-05-24 18:30:04 +00:00
Maximilian Bosch
00a5222499
nixos/sshd: validate ssh configs during build
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).

When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.

This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.

The original attempt was done in #56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
2019-05-24 20:16:53 +02:00
Aneesh Agrawal
24ae4ae604 nixos/sshd: Remove obsolete Protocol options (#59136)
OpenSSH removed server side support for the v.1 Protocol
in version 7.4: https://www.openssh.com/txt/release-7.4,
making this option a no-op.
2019-04-08 09:49:31 +02:00
Nikita Uvarov
131e31cd1b
sshd: fix startWhenNeeded and listenAddresses combination
Previously, if startWhenNeeded was set, listenAddresses option was
ignored and daemon was listening on all interfaces.
Fixes #56325.
2019-02-25 00:51:58 +01:00
danbst
27982b408e types.optionSet: deprecate and remove last usages 2019-01-31 00:41:10 +02:00
ajs124
325e314aae
sshd: Add restartTrigger for sshd_config
Co-Authored-By: Franz Pletz <fpletz@fnordicwalking.de>
2019-01-02 20:11:01 +01:00
Daniel Rutz
c98a7bf8f2 nixos/sshd: Use port type instead of int
This change leads to an additional check of the port number at build time, making invalid port values impossible.
2018-10-18 23:42:20 +02:00
volth
2e979e8ceb [bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00
Franz Pletz
ea9078b76b
Merge pull request #41745 from rvolosatovs/fix/sshd
nixos: Add more ssh-keygen params
2018-07-14 16:29:46 +00:00
Florian Klink
fff5923686 nixos/modules: users.(extraUsers|extraGroup->users|group) 2018-06-30 03:02:58 +02:00
Roman Volosatovs
1846a85b77
sshd: Add issue references to services.openssh.authorizedKeysFiles 2018-06-12 18:30:53 +02:00
Roman Volosatovs
9953edaf75
sshd: Support more ssh-keygen parameters 2018-06-12 18:26:20 +02:00
Izorkin
9ef30fd56a sshd: change location of config file (#41744)
create symlink /etc/ssh/sshd_config
2018-06-10 01:39:06 +02:00
Izorkin
ad11b960e9 sshd: add custom options 2018-05-19 11:52:00 +03:00
Silvan Mosberger
ee3fd4ad53
nixos/sshd: add options for kexAlgorithms, ciphers and MACs 2018-04-20 19:05:19 +02:00
Eelco Dolstra
6bc889205a
sshd: Remove UsePrivilegeSeparation option
This option is deprecated, see https://www.openssh.com/txt/release-7.5.
2018-02-08 13:32:55 +01:00
Leon Schuermann
c61a9dfd2e
sshd: provide option to disable firewall altering 2018-01-18 22:55:28 +08:00
Dmitry Moskowski
ed26bc5931
sshd: Start after network target 2017-12-24 14:57:14 +00:00
Tim Steinbach
48252b15b9
sshd: Remove ripemd160 MACs
They are invalid for our OpenSSH
2017-11-21 09:36:51 -05:00
jeaye
2a8bd9e2a1
nixos/ssh: Harden config defaults 2017-11-16 20:25:37 -08:00
jeaye
ec80c92825
nixos/ssh: Remove support for old host keys 2017-11-16 20:25:22 -08:00
Peter Hoeg
07bc859e9a Revert "ssh: deprecate use of old DSA keys"
This reverts commit 65b73d71cb.
2017-10-14 14:42:49 +08:00
Peter Hoeg
65b73d71cb ssh: deprecate use of old DSA keys
They are not safe and shouldn't be used.
2017-10-14 14:38:04 +08:00
Franz Pletz
dc08dcf6e7
ssh service: add sftpFlags option 2017-09-18 21:52:07 +02:00
Joachim Schiele
3d52203ab2 sshd.nix: Added nixops usage warning of openssh.authorizedKeys.keys usage 2017-06-22 11:50:09 +02:00
Aneesh Agrawal
769b991be6 openssh: 7.4p1 -> 7.5p1
Release notes are available at https://www.openssh.com/txt/release-7.5.
Mostly a bugfix release, no major backwards-incompatible changes.

Remove deprecated `UsePrivilegeSeparation` option,
which is now mandatory.
2017-04-10 19:39:22 -04:00
Eelco Dolstra
80b40fdf03
sshd.nix: Alternative fix for #19589
AFAICT, this issue only occurs when sshd is socket-activated. It turns
out that the preStart script's stdout and stderr are connected to the
socket, not just the main command's. So explicitly connect stderr to
the journal and redirect stdout to stderr.
2017-03-31 16:18:58 +02:00
Eelco Dolstra
4e79b0b075
Revert "sshd: separate key generation into another service"
This reverts commit 1a74eedd07. It
breaks NixOps, which expects that

  rm -f /etc/ssh/ssh_host_ed25519_key*
  systemctl restart sshd
  cat /etc/ssh/ssh_host_ed25519_key.pub

works.
2017-03-31 16:18:58 +02:00
Graham Christensen
8ed4c8b73b
openssh: 7.4p1 no longer backgrounds when systemd is starting it. 2016-12-29 17:04:46 -05:00
Eelco Dolstra
d69dce080d
Fix setting programs.ssh.setXAuthLocation
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
2016-11-21 16:19:51 +01:00
Anmol Sethi
1a74eedd07 sshd: separate key generation into another service
Fixes #19589
2016-10-20 23:14:37 -04:00
Joachim F
0906a0f197 Merge pull request #18491 from groxxda/network-interfaces
Replace Network-interfaces.target
2016-10-02 16:34:37 +02:00
Jörg Thalheim
cd673d3c26 Merge pull request #19138 from nhooyr/openssh
openssh: support prohibit-password for permitRootLogin
2016-10-02 15:26:21 +02:00
Anmol Sethi
6891bb1c59
openssh: support prohibit-password for permitRootLogin
See 1dc8d93ce6

I also made it the default.
2016-10-01 13:23:56 -04:00
Alexander Ried
60430b140c lshd service: remove use of network-interfaces.target 2016-09-13 11:19:22 +02:00
Eric Sagnes
48d6fa933c sshd module: optionSet -> submodule 2016-09-13 12:53:11 +09:00
Eelco Dolstra
520cb14f16 Fix infinite recursion introduced by f3c32cb2c1 2016-09-05 18:17:22 +02:00
Eelco Dolstra
f3c32cb2c1 Let services.openssh.forwardX11 imply programs.ssh.setXAuthLocation 2016-09-05 15:38:42 +02:00
Peter Hoeg
c4cba0e51f ssh module: ignore exit code when socket activated
sshd will at times fail when exiting. When socket activated, this will
leave a number of sshd@ service instances in the failed state, so we
simply ignore the error code if we are running socket activated.

Recommended by upstream:
http://systemd-devel.freedesktop.narkive.com/d0eapMCG/socket-activated-sshd-service-showing-up-as-a-failure-when-the-client-connection-fails

Fixes: #3279
2016-08-04 16:47:44 +08:00
Данило Глинський (Danylo Hlynskyi)
bc2fe9f2cd typo in authorizedKeysFiles 2016-05-12 18:01:17 +03:00
Aneesh Agrawal
bb39304ce6 openssh: use bin instead of sbin folder
References #11939.
2016-03-05 23:56:32 -05:00
Eelco Dolstra
d9d6a92d5e sshd.nix: Ensure global config goes before user Match blocks
Hopefully fixes #13393.
2016-02-23 18:03:33 +01:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
Robin Gloster
88292fdf09 jobs -> systemd.services 2016-01-07 06:39:06 +00:00
Eelco Dolstra
14321ae243 Rename users.extraUsers -> users.users, users.extraGroup -> users.groups
The "extra" part hasn't made sense for years.
2015-09-02 17:34:23 +02:00
Eelco Dolstra
287c08d8a3 Rename services.openssh.knownHosts -> programs.ssh.knownHosts
This option configures the SSH client, not the server.
2015-08-27 15:32:46 +02:00
Eelco Dolstra
401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
Eelco Dolstra
1f2eef5ae9 openssh: Re-enable DSA client keys
This was broken by a8eb2a6a81.
2015-08-18 13:11:45 +02:00
Eelco Dolstra
a5b83c3573 sshd: Use RSA and ED25519 host keys
Closes #7939.
2015-07-27 20:30:10 +02:00
Eelco Dolstra
7b38cb699d services.openssh.knownHosts.*.publicKey: Update description and add example
Note that it's no longer allowed to have multiple public keys
separated by a newline.
2015-07-13 16:21:57 +02:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
Peter Simons
86d299bc6e nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
The man page for ssh-keygen(1) has a section "MODULI GENERATION" that describes
how to generate your own moduli file. The following script might also be helpful:

 | #! /usr/bin/env bash
 |
 | moduliFiles=()
 |
 | generateModuli()
 | {
 |   ssh-keygen -G "moduli-$1.candidates" -b "$1"
 |   ssh-keygen -T "moduli-$1" -f "moduli-$1.candidates"
 |   rm "moduli-$1.candidates"
 | }
 |
 | for (( i=0 ; i <= 16 ; ++i )); do
 |   let bitSize="2048 + i * 128"
 |   generateModuli "$bitSize" &
 |   moduliFiles+=( "moduli-$bitSize" )
 | done
 | wait
 |
 | echo >moduli "# Time Type Tests Tries Size Generator Modulus"
 | cat >>moduli "${moduliFiles[@]}"
 | rm "${moduliFiles[@]}"

Note that generating moduli takes a long time, i.e. several hours on a fast
machine!

This patch resolves https://github.com/NixOS/nixpkgs/pull/5870.
2015-05-22 16:28:45 +02:00
Eelco Dolstra
fc8011ad8d Ensure that nscd, sshd are created as system users
c0f70b4694 removed the fixed uid
assignment, but then it becomes necessary to set isSystemUser.

http://hydra.nixos.org/build/22182588
2015-05-13 16:23:36 +02:00
Nicolas B. Pierron
7585d42d2b Fix #7354 - Accept _module attributes added to every submodule. 2015-04-20 23:58:32 +02:00
Eelco Dolstra
c0f70b4694 Remove fixed uids for nscd, sshd
These services don't create files on disk, let alone on a network
filesystem, so they don't really need a fixed uid. And this also gets
rid of a warning coming from <= 14.12 systems.
2015-04-19 22:06:45 +02:00
Jan Malakhovski
5c6d86540b nixos: use types.enum instead of ad-hoc check in sshd service 2015-03-26 12:43:42 +00:00
Eelco Dolstra
d31202fba2 sshd: Enable seccomp sandboxing 2015-03-09 11:27:19 +01:00
Eelco Dolstra
b70bd0879b sshd: Generate a ed25519 host key 2015-02-23 17:00:07 +01:00
Vladimír Čunát
72d2d59cd4 /etc/ssh/ssh_known_hosts: refactor and fix #5612
Generating the file was refactored to be completely in nix.
Functionally it should create the same content as before,
only adding the newlines.

CC recent updaters: @aszlig, @rickynils.
2015-01-11 22:14:25 +01:00
aszlig
2249474632
nixos/sshd: Fix build if knownHosts is empty.
Introduced by 77ff279f27.

Build failure: https://headcounter.org/hydra/build/583158/nixlog/5/raw

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-11-27 19:03:41 +01:00
Rickard Nilsson
77ff279f27 nixos/services.openssh: Allow knownHost keys to have multiple lines.
Useful for adding several public keys of different types for the same host.
2014-11-27 18:40:21 +01:00
William A. Kennington III
bab5efd237 nixos/ssh: Allow user to configure the package that provides ssh/sshd 2014-09-11 22:07:39 -07:00
Vladimir Still
13bbce96c3 sshd: Fix typo in assetion. 2014-09-02 10:06:04 +02:00