Commit Graph

64 Commits

Author SHA1 Message Date
Kazutoshi Noguchi
67246fbffa nixos/ssh: pass WAYLAND_DISPLAY to ssh-askpass 2022-10-11 00:15:49 +09:00
pennae
6039648c50 nixos/*: automatically convert option docs 2022-08-19 22:40:58 +02:00
pennae
16102dce2f nixos/*: replace <code> in option docs with <literal>
markdown can't represent the difference without another extension and
both the html manual and the manpage render them the same, so keeping the
distinction is not very useful on its own. with the distinction removed
we can automatically convert many options that use <code> tags to markdown.

the manpage remains unchanged, html manual does not render
differently (but class names on code tags do change from "code" to "literal").
2022-08-03 21:03:23 +02:00
pennae
2e751c0772 treewide: automatically md-convert option descriptions
the conversion procedure is simple:

 - find all things that look like options, ie calls to either `mkOption`
   or `lib.mkOption` that take an attrset. remember the attrset as the
   option
 - for all options, find a `description` attribute who's value is not a
   call to `mdDoc` or `lib.mdDoc`
 - textually convert the entire value of the attribute to MD with a few
   simple regexes (the set from mdize-module.sh)
 - if the change produced a change in the manual output, discard
 - if the change kept the manual unchanged, add some text to the
   description to make sure we've actually found an option. if the
   manual changes this time, keep the converted description

this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
2022-07-30 15:16:34 +02:00
pennae
e9f17a9f45 nixos/ssh: undeprecate knownHosts.«name».hostNames
hostNames being deprecated makes configuring hosts with multiple keys a
pain. including the attr name of the entry in the host name list is a
nice convenience though, so we'll retain it and clarify the
documentation on how the actual host name list for an entry is put
together.
2022-03-19 01:36:59 +01:00
Taeer Bar-Yam
552b80dc51
add defaultText
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
2022-01-19 09:39:50 -05:00
Taeer Bar-Yam
aa99bd69f0
fix punctuation
Co-authored-by: pennae <82953136+pennae@users.noreply.github.com>
2022-01-19 09:38:13 -05:00
Taeer Bar-Yam
8fa2e787f1 modules/programs/ssh: knownHosts -> extraKnownHosts 2022-01-19 08:48:41 -05:00
Alyssa Ross
262447705c nixos/ssh: add programs.ssh.knownHostsFiles option
The programs.ssh.knownHosts.*.publicKeyFile is broken, because it's
scoped to a set of host names, but to insert those host names on each
line of the file we'd have to parse out blank lines and comments, so
only the first line works.  It would be much easier all round if users
just provided known hosts files in the normal format, and we pointed
ssh directly to them.  This way, it would be possible to have multiple
keys for a single host (which is extremely common due to multiple
algorithms being commonplace).

We add an option for this instead of relying on extraConfig, because
we need to make sure /etc/ssh/ssh_known_hosts is always included to
ensure programs.ssh.knownHosts keeps working.
/etc/ssh/ssh_known_hosts2 is another OpenSSH default that seems a bit
weird, but there's no real reason to change that so we'll leave it.
2022-01-11 20:02:26 +00:00
Andrew Marshall
f10aea2434 nixos/ssh: Add enableAskPassword
Previously, this was only implicitly enabled if xserver.enable = true.
However, Wayland-based desktops do not require this, and so configuring
SSH_ASKPASS on a Wayland desktop becomes cumbersome. This simplifies
that by adding a new option that defaults to the old conditional.
2021-12-18 12:13:02 -05:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Sergey Vlasov
20b1d07a4f nixos/ssh: fix passing arguments to ssh-askpass
The wrapper for ssh-askpass did not pass arguments to the real
ssh-askpass, therefore the generic "Please enter your authentication
passphrase" prompt was displayed for all requests (including the key
usage confirmation requests, which don't need the passphrase), and some
important information such as the key name was not displayed.
2021-06-18 22:19:03 +03:00
volth
bc0d605cf1 treewide: fix double quoted strings in meta.description
Signed-off-by: Ben Siraphob <bensiraphob@gmail.com>
2021-01-24 19:56:59 +07:00
rnhmjoj
20d491a317
treewide: completely remove types.loaOf 2020-09-02 00:42:50 +02:00
Izorkin
1086ae52fb nixos/ssh: add crypto options 2020-06-08 22:10:36 +03:00
Alyssa Ross
387b9bf352
nixos/ssh: don't accept ssh-dss keys
These have been deprecated long enough.  I think this default was even
made non-functional by 2337c7522a.  But
it's still a scary thing to see there.

Fixes https://github.com/NixOS/nixpkgs/issues/33381.
2020-04-07 13:35:51 +00:00
Philip Potter
ce7d4e40f0
ssh-agent: fix syntax problem from #71139
Oops, in #71139 a missing `+` broke things quite badly.  Thanks @lzorkin for the
report and @mebubo for diagnosing the problem.
2019-11-07 22:13:18 +00:00
Philip Potter
8120184bf1 ssh-agent: add agentPKCS11Whitelist option
If you want to be able to use OpenSC with ssh-agent, you need to be able
to add it to the ssh-agent whitelist.  This adds an option,
agentPKCS11Whitelist, that exposes the option.

Note that I currently work around this by injecting the parameter into
the agentTimeout option:

    programs.ssh.agentTimeout = "1h -P ${pkgs.opensc}/lib/opensc-pkcs11.so";

but I feel that a proper option would be better :)
2019-10-14 20:45:28 +01:00
Peter Hoeg
f2639566b5
Merge pull request #30712 from peterhoeg/f/service
systemd user services shouldn't run as root and other "non-interactive" users
2019-08-02 11:58:27 +08:00
edef
1c9a2d4d7f nixos/programs/ssh: allow specifying known host CAs 2019-07-21 14:23:41 +00:00
Kai Wohlfahrt
de7abf63b8 nixos/ssh: apply options after extraConfig
Otherwise, the standard options (e.g. AddressFamily) cannot be overriden
in extraConfig, as the option is applied on the first (not most
specific) match. Closes #52267
2019-02-18 21:58:46 +00:00
Florian Klink
4f11c06fac programs.ssh.knownHosts: update example to be an attrset
We shouldn't encourage using a list here, but prefer the attrset.
Using a list here causes very unintuitive effects during merging.
2019-01-18 15:33:07 +01:00
Daiderd Jordan
9d72403814
ssh: fix 3572f89bbe 2018-07-21 13:06:16 +02:00
Daiderd Jordan
3572f89bbe
ssh: don't add empty PubkeyAcceptedKeyTypes/HostKeyAlgorithms
The options introduced in e2444a433f would generate a broken
ssh config when set to an empty list.

/etc/ssh/ssh_config line 7: Missing argument.
2018-07-21 12:29:16 +02:00
Daiderd Jordan
e2444a433f
Merge pull request #40686 from Izorkin/ssh
ssh: custom config key types
2018-07-21 11:57:41 +02:00
Izorkin
05bc5fed28 ssh: custom config key types 2018-07-21 12:27:16 +03:00
volth
87f5930c3f [bot]: remove unreferenced code 2018-07-20 18:48:37 +00:00
Shea Levy
fec543436d
nixos: Move uses of stdenv.shell to runtimeShell. 2018-03-01 14:38:53 -05:00
mingchuan
e0318379ae nixos/ssh: fix example 2017-11-01 02:54:38 +08:00
Peter Hoeg
0f04bbdc31 ssh-agent: normal users only 2017-10-24 16:30:13 +08:00
Franz Pletz
994ffc01a0
ssh module: disable agent by default 2017-06-15 19:27:01 +02:00
Franz Pletz
1e95e114e5
nixos/xsession: use graphical systemd user target
While systemd suggests using the pre-defined graphical-session user
target, I found that this interface is difficult to use. Additionally,
no other major distribution, even in their unstable versions, currently
use this mechanism.

The window or desktop manager is supposed to run in a systemd user service
which activates graphical-session.target and the user services that are
binding to this target. The issue is that we can't elegantly pass the
xsession environment to the window manager session, in particular
whereas the PassEnvironment option does work for DISPLAY, it for some
mysterious reason won't for PATH.

This commit implements a new graphical user target that works just like
default.target. Services which should be run in a graphical session just
need to declare wantedBy graphical.target. The graphical target will be
activated in the xsession before executing the window or display manager.

Fixes #17858.
2017-05-29 15:05:28 +02:00
jammerful
d9df350695 ssh: Add Newline to KnownHostsText
SSH expects a new line at the end of known_hosts file.
Without a new line the next entry goes on the same line
as the last entry in known_hosts causing errors.
2017-05-15 23:49:43 -04:00
Eelco Dolstra
d69dce080d
Fix setting programs.ssh.setXAuthLocation
The configuration { services.openssh.enable = true;
services.openssh.forwardX11 = false; } caused
programs.ssh.setXAuthLocation to be set to false, which was not the
intent. The intent is that programs.ssh.setXAuthLocation should be
automatically enabled if needed or if xauth is already available.
2016-11-21 16:19:51 +01:00
Eelco Dolstra
f3c32cb2c1 Let services.openssh.forwardX11 imply programs.ssh.setXAuthLocation 2016-09-05 15:38:42 +02:00
Eelco Dolstra
3fb1708427 ssh: Fix support for ssh-dss host keys 2016-04-01 15:54:52 +02:00
Vladimír Čunát
4fede53c09 nixos manuals: bring back package references
This reverts most of 89e983786a, as those references are sanitized now.
Fixes #10039, at least most of it.

The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
2016-02-03 14:47:14 +01:00
Vladimír Čunát
889351af8b Revert "Merge #12357: nixos docs: show references to packages"
The PR wasn't good enough yet.
This reverts commit b2a37ceeea, reversing
changes made to 7fa9a1abce.
2016-02-03 12:16:33 +01:00
Vladimír Čunát
b2a37ceeea Merge #12357: nixos docs: show references to packages 2016-02-03 10:07:27 +01:00
Eelco Dolstra
a7b7ac8bfb openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb67.
2016-02-01 16:31:43 +01:00
Reno Reckling
312bae7fc0 nixos-ssh: set SSH_ASKPASS globally and not just on interactive shells
If we limit SSH_ASKPASS to interactive shells, users are unable to trigger
the ssh-passphrase dialog from their desktop environment autostart scripts.
Usecase: I call ssh-add during my desktop environment autostart and want to have
the passphrase dialog immediately after startup.
For this to work, SSH_ASKPASS needs to be propagated properly on
non-interactive shells.
2016-01-24 11:18:30 +01:00
Thomas Strobel
a04a7272aa Add missing 'type', 'defaultText' and 'literalExample' in module definitions
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
2016-01-17 19:41:23 +01:00
Vladimír Čunát
3bcf8ae879 nixos manuals: bring back package references
This reverts most of 89e983786a, as those references are sanitized now.
Fixes #10039, at least most of it.

The `sane` case wasn't fixed, as it calls a *function* in pkgs to get
the default value.
2016-01-13 12:04:31 +01:00
Eelco Dolstra
89e983786a Manual: Remove store path references 2015-09-24 11:50:58 +02:00
Eelco Dolstra
f6eece6f8f programs.ssh.knownHosts: Use attribute name
This allows writing:

  programs.ssh.knownHosts."10.1.2.3".publicKey = "bar";

instead of

  programs.ssh.knownHosts = [ { hostNames = [ "10.1.2.3" ]; publicKey = "bar"; } ];
2015-08-27 15:32:46 +02:00
Eelco Dolstra
7c6ff6c1da programs.ssh.knownHosts: Use submodule 2015-08-27 15:32:46 +02:00
Eelco Dolstra
287c08d8a3 Rename services.openssh.knownHosts -> programs.ssh.knownHosts
This option configures the SSH client, not the server.
2015-08-27 15:32:46 +02:00
Eelco Dolstra
401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
Eelco Dolstra
1f2eef5ae9 openssh: Re-enable DSA client keys
This was broken by a8eb2a6a81.
2015-08-18 13:11:45 +02:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00