nixos/modules/programs/ssh.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / programs / ssh.nix
at 23.05-pre 15 kB view raw
  1# Global configuration for the SSH client.
  2
  3{ config, lib, pkgs, ... }:
  4
  5with lib;
  6
  7let
  8
  9  cfg  = config.programs.ssh;
 10
 11  askPassword = cfg.askPassword;
 12
 13  askPasswordWrapper = pkgs.writeScript "ssh-askpass-wrapper"
 14    ''
 15      #! ${pkgs.runtimeShell} -e
 16      export DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^DISPLAY=\(.*\)/\1/; t; d')"
 17      export WAYLAND_DISPLAY="$(systemctl --user show-environment | ${pkgs.gnused}/bin/sed 's/^WAYLAND_DISPLAY=\(.*\)/\1/; t; d')"
 18      exec ${askPassword} "$@"
 19    '';
 20
 21  knownHosts = attrValues cfg.knownHosts;
 22
 23  knownHostsText = (flip (concatMapStringsSep "\n") knownHosts
 24    (h: assert h.hostNames != [];
 25      optionalString h.certAuthority "@cert-authority " + concatStringsSep "," h.hostNames + " "
 26      + (if h.publicKey != null then h.publicKey else readFile h.publicKeyFile)
 27    )) + "\n";
 28
 29  knownHostsFiles = [ "/etc/ssh/ssh_known_hosts" "/etc/ssh/ssh_known_hosts2" ]
 30    ++ map pkgs.copyPathToStore cfg.knownHostsFiles;
 31
 32in
 33{
 34  ###### interface
 35
 36  options = {
 37
 38    programs.ssh = {
 39
 40      enableAskPassword = mkOption {
 41        type = types.bool;
 42        default = config.services.xserver.enable;
 43        defaultText = literalExpression "config.services.xserver.enable";
 44        description = lib.mdDoc "Whether to configure SSH_ASKPASS in the environment.";
 45      };
 46
 47      askPassword = mkOption {
 48        type = types.str;
 49        default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass";
 50        defaultText = literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"'';
 51        description = lib.mdDoc "Program used by SSH to ask for passwords.";
 52      };
 53
 54      forwardX11 = mkOption {
 55        type = types.bool;
 56        default = false;
 57        description = lib.mdDoc ''
 58          Whether to request X11 forwarding on outgoing connections by default.
 59          This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
 60          Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
 61          Note: there are some security risks to forwarding an X11 connection.
 62          NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.
 63          To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.
 64          The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
 65        '';
 66      };
 67
 68      setXAuthLocation = mkOption {
 69        type = types.bool;
 70        description = lib.mdDoc ''
 71          Whether to set the path to {command}`xauth` for X11-forwarded connections.
 72          This causes a dependency on X11 packages.
 73        '';
 74      };
 75
 76      pubkeyAcceptedKeyTypes = mkOption {
 77        type = types.listOf types.str;
 78        default = [];
 79        example = [ "ssh-ed25519" "ssh-rsa" ];
 80        description = lib.mdDoc ''
 81          Specifies the key types that will be used for public key authentication.
 82        '';
 83      };
 84
 85      hostKeyAlgorithms = mkOption {
 86        type = types.listOf types.str;
 87        default = [];
 88        example = [ "ssh-ed25519" "ssh-rsa" ];
 89        description = lib.mdDoc ''
 90          Specifies the host key algorithms that the client wants to use in order of preference.
 91        '';
 92      };
 93
 94      extraConfig = mkOption {
 95        type = types.lines;
 96        default = "";
 97        description = lib.mdDoc ''
 98          Extra configuration text prepended to {file}`ssh_config`. Other generated
 99          options will be added after a `Host *` pattern.
100          See {manpage}`ssh_config(5)`
101          for help.
102        '';
103      };
104
105      startAgent = mkOption {
106        type = types.bool;
107        default = false;
108        description = lib.mdDoc ''
109          Whether to start the OpenSSH agent when you log in.  The OpenSSH agent
110          remembers private keys for you so that you don't have to type in
111          passphrases every time you make an SSH connection.  Use
112          {command}`ssh-add` to add a key to the agent.
113        '';
114      };
115
116      agentTimeout = mkOption {
117        type = types.nullOr types.str;
118        default = null;
119        example = "1h";
120        description = lib.mdDoc ''
121          How long to keep the private keys in memory. Use null to keep them forever.
122        '';
123      };
124
125      agentPKCS11Whitelist = mkOption {
126        type = types.nullOr types.str;
127        default = null;
128        example = literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"'';
129        description = lib.mdDoc ''
130          A pattern-list of acceptable paths for PKCS#11 shared libraries
131          that may be used with the -s option to ssh-add.
132        '';
133      };
134
135      package = mkOption {
136        type = types.package;
137        default = pkgs.openssh;
138        defaultText = literalExpression "pkgs.openssh";
139        description = lib.mdDoc ''
140          The package used for the openssh client and daemon.
141        '';
142      };
143
144      knownHosts = mkOption {
145        default = {};
146        type = types.attrsOf (types.submodule ({ name, config, options, ... }: {
147          options = {
148            certAuthority = mkOption {
149              type = types.bool;
150              default = false;
151              description = lib.mdDoc ''
152                This public key is an SSH certificate authority, rather than an
153                individual host's key.
154              '';
155            };
156            hostNames = mkOption {
157              type = types.listOf types.str;
158              default = [ name ] ++ config.extraHostNames;
159              defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}";
160              description = lib.mdDoc ''
161                A list of host names and/or IP numbers used for accessing
162                the host's ssh service. This list includes the name of the
163                containing `knownHosts` attribute by default
164                for convenience. If you wish to configure multiple host keys
165                for the same host use multiple `knownHosts`
166                entries with different attribute names and the same
167                `hostNames` list.
168              '';
169            };
170            extraHostNames = mkOption {
171              type = types.listOf types.str;
172              default = [];
173              description = lib.mdDoc ''
174                A list of additional host names and/or IP numbers used for
175                accessing the host's ssh service. This list is ignored if
176                `hostNames` is set explicitly.
177              '';
178            };
179            publicKey = mkOption {
180              default = null;
181              type = types.nullOr types.str;
182              example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg==";
183              description = lib.mdDoc ''
184                The public key data for the host. You can fetch a public key
185                from a running SSH server with the {command}`ssh-keyscan`
186                command. The public key should not include any host names, only
187                the key type and the key itself.
188              '';
189            };
190            publicKeyFile = mkOption {
191              default = null;
192              type = types.nullOr types.path;
193              description = lib.mdDoc ''
194                The path to the public key file for the host. The public
195                key file is read at build time and saved in the Nix store.
196                You can fetch a public key file from a running SSH server
197                with the {command}`ssh-keyscan` command. The content
198                of the file should follow the same format as described for
199                the `publicKey` option. Only a single key
200                is supported. If a host has multiple keys, use
201                {option}`programs.ssh.knownHostsFiles` instead.
202              '';
203            };
204          };
205        }));
206        description = lib.mdDoc ''
207          The set of system-wide known SSH hosts. To make simple setups more
208          convenient the name of an attribute in this set is used as a host name
209          for the entry. This behaviour can be disabled by setting
210          `hostNames` explicitly. You can use
211          `extraHostNames` to add additional host names without
212          disabling this default.
213        '';
214        example = literalExpression ''
215          {
216            myhost = {
217              extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];
218              publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
219            };
220            "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";
221            "myhost2.net/dsa" = {
222              hostNames = [ "myhost2.net" ];
223              publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
224            };
225          }
226        '';
227      };
228
229      knownHostsFiles = mkOption {
230        default = [];
231        type = with types; listOf path;
232        description = lib.mdDoc ''
233          Files containing SSH host keys to set as global known hosts.
234          `/etc/ssh/ssh_known_hosts` (which is
235          generated by {option}`programs.ssh.knownHosts`) and
236          `/etc/ssh/ssh_known_hosts2` are always
237          included.
238        '';
239        example = literalExpression ''
240          [
241            ./known_hosts
242            (writeText "github.keys" '''
243              github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
244              github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
245              github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
246            ''')
247          ]
248        '';
249      };
250
251      kexAlgorithms = mkOption {
252        type = types.nullOr (types.listOf types.str);
253        default = null;
254        example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
255        description = lib.mdDoc ''
256          Specifies the available KEX (Key Exchange) algorithms.
257        '';
258      };
259
260      ciphers = mkOption {
261        type = types.nullOr (types.listOf types.str);
262        default = null;
263        example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ];
264        description = lib.mdDoc ''
265          Specifies the ciphers allowed and their order of preference.
266        '';
267      };
268
269      macs = mkOption {
270        type = types.nullOr (types.listOf types.str);
271        default = null;
272        example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ];
273        description = lib.mdDoc ''
274          Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used
275          for data integrity protection.
276        '';
277      };
278    };
279
280  };
281
282  config = {
283
284    programs.ssh.setXAuthLocation =
285      mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11);
286
287    assertions =
288      [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;
289          message = "cannot enable X11 forwarding without setting XAuth location";
290        }
291      ] ++ flip mapAttrsToList cfg.knownHosts (name: data: {
292        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
293                    (data.publicKey != null && data.publicKeyFile == null);
294        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
295      });
296
297    # SSH configuration. Slight duplication of the sshd_config
298    # generation in the sshd service.
299    environment.etc."ssh/ssh_config".text =
300      ''
301        # Custom options from `extraConfig`, to override generated options
302        ${cfg.extraConfig}
303
304        # Generated options from other settings
305        Host *
306        AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
307        GlobalKnownHostsFile ${concatStringsSep " " knownHostsFiles}
308
309        ${optionalString cfg.setXAuthLocation ''
310          XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
311        ''}
312
313        ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
314
315        ${optionalString (cfg.pubkeyAcceptedKeyTypes != []) "PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}"}
316        ${optionalString (cfg.hostKeyAlgorithms != []) "HostKeyAlgorithms ${concatStringsSep "," cfg.hostKeyAlgorithms}"}
317        ${optionalString (cfg.kexAlgorithms != null) "KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}"}
318        ${optionalString (cfg.ciphers != null) "Ciphers ${concatStringsSep "," cfg.ciphers}"}
319        ${optionalString (cfg.macs != null) "MACs ${concatStringsSep "," cfg.macs}"}
320      '';
321
322    environment.etc."ssh/ssh_known_hosts".text = knownHostsText;
323
324    # FIXME: this should really be socket-activated for über-awesomeness.
325    systemd.user.services.ssh-agent = mkIf cfg.startAgent
326      { description = "SSH Agent";
327        wantedBy = [ "default.target" ];
328        unitConfig.ConditionUser = "!@system";
329        serviceConfig =
330          { ExecStartPre = "${pkgs.coreutils}/bin/rm -f %t/ssh-agent";
331            ExecStart =
332                "${cfg.package}/bin/ssh-agent " +
333                optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") +
334                optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ") +
335                "-a %t/ssh-agent";
336            StandardOutput = "null";
337            Type = "forking";
338            Restart = "on-failure";
339            SuccessExitStatus = "0 2";
340          };
341        # Allow ssh-agent to ask for confirmation. This requires the
342        # unit to know about the user's $DISPLAY (via ‘systemctl
343        # import-environment’).
344        environment.SSH_ASKPASS = optionalString cfg.enableAskPassword askPasswordWrapper;
345        environment.DISPLAY = "fake"; # required to make ssh-agent start $SSH_ASKPASS
346      };
347
348    environment.extraInit = optionalString cfg.startAgent
349      ''
350        if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
351          export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent"
352        fi
353      '';
354
355    environment.variables.SSH_ASKPASS = optionalString cfg.enableAskPassword askPassword;
356
357  };
358}