2010-02-01 18:05:02 +01:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
with pkgs.lib;
|
2009-03-06 13:26:08 +01:00
|
|
|
|
2007-01-07 11:19:16 +01:00
|
|
|
let
|
2009-03-06 13:26:08 +01:00
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
cfg = config.services.openssh;
|
|
|
|
cfgc = config.programs.ssh;
|
2009-03-06 13:26:08 +01:00
|
|
|
|
|
|
|
nssModulesPath = config.system.nssModules.path;
|
2007-01-07 11:19:16 +01:00
|
|
|
|
2009-08-19 17:04:05 +02:00
|
|
|
permitRootLoginCheck = v:
|
|
|
|
v == "yes" ||
|
|
|
|
v == "without-password" ||
|
|
|
|
v == "forced-commands-only" ||
|
|
|
|
v == "no";
|
2009-03-06 13:26:08 +01:00
|
|
|
|
2012-02-22 21:28:54 +01:00
|
|
|
hostKeyTypeNames = {
|
|
|
|
dsa1024 = "dsa";
|
|
|
|
rsa1024 = "rsa";
|
|
|
|
ecdsa521 = "ecdsa";
|
|
|
|
};
|
|
|
|
|
|
|
|
hostKeyTypeBits = {
|
|
|
|
dsa1024 = 1024;
|
|
|
|
rsa1024 = 1024;
|
|
|
|
ecdsa521 = 521;
|
|
|
|
};
|
|
|
|
|
|
|
|
hktn = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeNames;
|
|
|
|
hktb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeBits;
|
|
|
|
|
2011-11-29 07:08:55 +01:00
|
|
|
userOptions = {
|
|
|
|
openssh.authorizedKeys = {
|
|
|
|
|
|
|
|
preserveExistingKeys = mkOption {
|
|
|
|
type = types.bool;
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
If this option is enabled, the keys specified in
|
|
|
|
<literal>keys</literal> and/or <literal>keyFiles</literal> will be
|
|
|
|
placed in a special section of the user's authorized_keys file
|
|
|
|
and any existing keys will be preserved. That section will be
|
|
|
|
regenerated each time NixOS is activated. However, if
|
|
|
|
<literal>preserveExisting</literal> isn't enabled, the complete file
|
|
|
|
will be generated, and any user modifications will be wiped out.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
keys = mkOption {
|
|
|
|
type = types.listOf types.string;
|
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
A list of verbatim OpenSSH public keys that should be inserted into the
|
|
|
|
user's authorized_keys file. You can combine the <literal>keys</literal> and
|
|
|
|
<literal>keyFiles</literal> options.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
keyFiles = mkOption {
|
2012-02-25 18:31:39 +01:00
|
|
|
#type = types.listOf types.string;
|
2011-11-29 07:08:55 +01:00
|
|
|
default = [];
|
|
|
|
description = ''
|
|
|
|
A list of files each containing one OpenSSH public keys that should be
|
|
|
|
inserted into the user's authorized_keys file. You can combine
|
|
|
|
the <literal>keyFiles</literal> and
|
|
|
|
<literal>keys</literal> options.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
mkAuthkeyScript =
|
|
|
|
let
|
2012-04-25 16:14:20 +02:00
|
|
|
marker1 = "### NixOS auto-added key. Do not edit!";
|
2011-11-29 07:08:55 +01:00
|
|
|
marker2 = "### NixOS will regenerate this file. Do not edit!";
|
|
|
|
users = map (userName: getAttr userName config.users.extraUsers) (attrNames config.users.extraUsers);
|
|
|
|
usersWithKeys = flip filter users (u:
|
|
|
|
length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0
|
|
|
|
);
|
|
|
|
userLoop = flip concatMapStrings usersWithKeys (u:
|
|
|
|
let
|
|
|
|
authKeys = concatStringsSep "," u.openssh.authorizedKeys.keys;
|
2012-04-25 17:44:47 +02:00
|
|
|
authKeyFiles = concatStringsSep " " u.openssh.authorizedKeys.keyFiles;
|
2011-11-29 07:08:55 +01:00
|
|
|
preserveExisting = if u.openssh.authorizedKeys.preserveExistingKeys then "true" else "false";
|
|
|
|
in ''
|
|
|
|
mkAuthKeysFile "${u.name}" "${authKeys}" "${authKeyFiles}" "${preserveExisting}"
|
|
|
|
''
|
|
|
|
);
|
|
|
|
in ''
|
|
|
|
mkAuthKeysFile() {
|
|
|
|
local userName="$1"
|
|
|
|
local authKeys="$2"
|
|
|
|
local authKeyFiles="$3"
|
|
|
|
local preserveExisting="$4"
|
|
|
|
|
2012-04-25 17:44:47 +02:00
|
|
|
eval authfile=~$userName/.ssh/authorized_keys
|
|
|
|
mkdir -p "$(dirname $authfile)"
|
|
|
|
touch "$authfile"
|
|
|
|
if [ "$preserveExisting" == false ]; then
|
|
|
|
rm -f "$authfile"
|
|
|
|
echo "${marker2}" > "$authfile"
|
|
|
|
else
|
|
|
|
sed -i '/${marker1}/ d' "$authfile"
|
|
|
|
fi
|
|
|
|
IFS=,
|
|
|
|
for f in $authKeys; do
|
|
|
|
echo "$f ${marker1}" >> "$authfile"
|
|
|
|
done
|
|
|
|
unset IFS
|
2011-11-29 07:08:55 +01:00
|
|
|
for f in $authKeyFiles; do
|
|
|
|
if [ -f "$f" ]; then
|
2012-04-25 17:44:47 +02:00
|
|
|
echo "$(cat "$f") ${marker1}" >> "$authfile"
|
2011-11-29 07:08:55 +01:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
}
|
2012-04-25 17:44:47 +02:00
|
|
|
|
2011-11-29 07:08:55 +01:00
|
|
|
${userLoop}
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
2007-01-07 11:19:16 +01:00
|
|
|
in
|
2006-11-23 18:43:28 +01:00
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
{
|
2007-06-08 17:41:12 +02:00
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
###### interface
|
2011-07-12 12:34:30 +02:00
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
options = {
|
2011-07-12 12:34:30 +02:00
|
|
|
|
2010-03-11 18:02:49 +01:00
|
|
|
services.openssh = {
|
2009-07-15 17:53:39 +02:00
|
|
|
|
|
|
|
enable = mkOption {
|
|
|
|
default = false;
|
|
|
|
description = ''
|
2010-03-11 18:02:49 +01:00
|
|
|
Whether to enable the OpenSSH secure shell daemon, which
|
|
|
|
allows secure remote logins.
|
2009-07-15 17:53:39 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
forwardX11 = mkOption {
|
2012-03-25 17:42:05 +02:00
|
|
|
default = cfgc.setXAuthLocation;
|
2009-07-15 17:53:39 +02:00
|
|
|
description = ''
|
|
|
|
Whether to allow X11 connections to be forwarded.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
allowSFTP = mkOption {
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Whether to enable the SFTP subsystem in the SSH daemon. This
|
|
|
|
enables the use of commands such as <command>sftp</command> and
|
|
|
|
<command>sshfs</command>.
|
|
|
|
'';
|
|
|
|
};
|
2006-11-23 18:43:28 +01:00
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
permitRootLogin = mkOption {
|
|
|
|
default = "yes";
|
2009-08-19 17:04:05 +02:00
|
|
|
check = permitRootLoginCheck;
|
2009-07-15 17:53:39 +02:00
|
|
|
description = ''
|
|
|
|
Whether the root user can login using ssh. Valid values are
|
|
|
|
<literal>yes</literal>, <literal>without-password</literal>,
|
|
|
|
<literal>forced-commands-only</literal> or
|
|
|
|
<literal>no</literal>.
|
2009-12-11 01:51:13 +01:00
|
|
|
If without-password doesn't work try <literal>yes</literal>.
|
2009-07-15 17:53:39 +02:00
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
gatewayPorts = mkOption {
|
|
|
|
default = "no";
|
|
|
|
description = ''
|
|
|
|
Specifies whether remote hosts are allowed to connect to
|
|
|
|
ports forwarded for the client. See
|
|
|
|
<citerefentry><refentrytitle>sshd_config</refentrytitle>
|
|
|
|
<manvolnum>5</manvolnum></citerefentry>.
|
|
|
|
'';
|
|
|
|
};
|
2009-12-10 15:45:41 +01:00
|
|
|
|
|
|
|
ports = mkOption {
|
|
|
|
default = [22];
|
|
|
|
description = ''
|
|
|
|
Specifies on which ports the SSH daemon listens.
|
|
|
|
'';
|
|
|
|
};
|
2011-07-12 12:34:27 +02:00
|
|
|
|
|
|
|
usePAM = mkOption {
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Specifies whether the OpenSSH daemon uses PAM to authenticate
|
|
|
|
login attempts.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
passwordAuthentication = mkOption {
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Specifies whether password authentication is allowed. Note
|
|
|
|
that setting this value to <literal>false</literal> is most
|
|
|
|
probably not going to have the desired effect unless
|
|
|
|
<literal>usePAM</literal> is disabled as well.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2012-04-01 12:54:17 +02:00
|
|
|
challengeResponseAuthentication = mkOption {
|
|
|
|
default = true;
|
|
|
|
description = ''
|
|
|
|
Specifies whether challenge/response authentication is allowed.
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
2012-02-22 21:28:54 +01:00
|
|
|
hostKeyType = mkOption {
|
|
|
|
default = "dsa1024";
|
|
|
|
description = "Type of host key to generate (dsa1024/rsa1024/ecdsa521)";
|
|
|
|
};
|
|
|
|
|
2010-10-18 12:31:41 +02:00
|
|
|
extraConfig = mkOption {
|
|
|
|
default = "";
|
|
|
|
description = "Verbatim contents of <filename>sshd_config</filename>.";
|
|
|
|
};
|
2011-07-12 12:34:30 +02:00
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
};
|
|
|
|
|
2011-11-29 07:08:55 +01:00
|
|
|
users.extraUsers = mkOption {
|
|
|
|
options = [ userOptions ];
|
|
|
|
};
|
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
2010-03-11 18:02:49 +01:00
|
|
|
config = mkIf config.services.openssh.enable {
|
2009-07-15 17:53:39 +02:00
|
|
|
|
2010-02-01 18:05:02 +01:00
|
|
|
users.extraUsers = singleton
|
2010-03-11 19:07:20 +01:00
|
|
|
{ name = "sshd";
|
2009-05-29 16:25:56 +02:00
|
|
|
uid = config.ids.uids.sshd;
|
2009-03-06 13:26:13 +01:00
|
|
|
description = "SSH privilege separation user";
|
|
|
|
home = "/var/empty";
|
2009-07-15 17:53:39 +02:00
|
|
|
};
|
2009-03-06 13:26:13 +01:00
|
|
|
|
2010-02-01 18:05:02 +01:00
|
|
|
environment.etc = singleton
|
2010-03-11 18:02:49 +01:00
|
|
|
{ source = "${pkgs.openssh}/etc/ssh/moduli";
|
2010-02-01 18:05:02 +01:00
|
|
|
target = "ssh/moduli";
|
|
|
|
};
|
|
|
|
|
2010-03-11 18:02:53 +01:00
|
|
|
jobs.sshd = {
|
2006-11-23 18:43:28 +01:00
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
description = "OpenSSH server";
|
2007-01-15 18:19:41 +01:00
|
|
|
|
2009-11-06 16:46:56 +01:00
|
|
|
startOn = "started network-interfaces";
|
2006-11-23 18:43:28 +01:00
|
|
|
|
2010-05-09 14:45:57 +02:00
|
|
|
environment = {
|
|
|
|
LD_LIBRARY_PATH = nssModulesPath;
|
|
|
|
# Duplicated from bashrc. OpenSSH needs a patch for this.
|
|
|
|
LOCALE_ARCHIVE = "/var/run/current-system/sw/lib/locale/locale-archive";
|
|
|
|
};
|
2006-11-23 18:43:28 +01:00
|
|
|
|
2012-04-25 17:44:47 +02:00
|
|
|
path = [ pkgs.openssh pkgs.gnused ];
|
|
|
|
|
2009-07-15 17:53:39 +02:00
|
|
|
preStart =
|
|
|
|
''
|
2011-11-29 07:08:55 +01:00
|
|
|
${mkAuthkeyScript}
|
|
|
|
|
2009-03-06 13:26:08 +01:00
|
|
|
mkdir -m 0755 -p /etc/ssh
|
|
|
|
|
2012-02-22 21:28:54 +01:00
|
|
|
if ! test -f /etc/ssh/ssh_host_${hktn}_key; then
|
2012-04-25 17:44:47 +02:00
|
|
|
ssh-keygen -t ${hktn} -b ${toString hktb} -f /etc/ssh/ssh_host_${hktn}_key -N ""
|
2009-03-06 13:26:08 +01:00
|
|
|
fi
|
2009-07-15 17:53:39 +02:00
|
|
|
'';
|
|
|
|
|
2009-11-06 16:46:56 +01:00
|
|
|
daemonType = "fork";
|
|
|
|
|
2011-07-12 12:34:30 +02:00
|
|
|
exec =
|
2010-10-18 12:31:41 +02:00
|
|
|
''
|
2012-02-22 21:28:54 +01:00
|
|
|
${pkgs.openssh}/sbin/sshd -h /etc/ssh/ssh_host_${hktn}_key \
|
2010-10-18 12:31:41 +02:00
|
|
|
-f ${pkgs.writeText "sshd_config" cfg.extraConfig}
|
|
|
|
'';
|
2009-07-15 17:53:39 +02:00
|
|
|
};
|
2009-03-06 13:26:08 +01:00
|
|
|
|
2010-02-01 18:05:02 +01:00
|
|
|
networking.firewall.allowedTCPPorts = cfg.ports;
|
2010-10-18 12:31:41 +02:00
|
|
|
|
|
|
|
services.openssh.extraConfig =
|
|
|
|
''
|
|
|
|
Protocol 2
|
|
|
|
|
2011-07-12 12:34:27 +02:00
|
|
|
UsePAM ${if cfg.usePAM then "yes" else "no"}
|
2010-10-18 12:31:41 +02:00
|
|
|
|
|
|
|
${concatMapStrings (port: ''
|
|
|
|
Port ${toString port}
|
|
|
|
'') cfg.ports}
|
|
|
|
|
2012-03-25 17:42:05 +02:00
|
|
|
${optionalString cfgc.setXAuthLocation ''
|
|
|
|
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
|
|
|
|
''}
|
|
|
|
|
2010-10-18 12:31:41 +02:00
|
|
|
${if cfg.forwardX11 then ''
|
|
|
|
X11Forwarding yes
|
|
|
|
'' else ''
|
|
|
|
X11Forwarding no
|
|
|
|
''}
|
|
|
|
|
|
|
|
${optionalString cfg.allowSFTP ''
|
|
|
|
Subsystem sftp ${pkgs.openssh}/libexec/sftp-server
|
|
|
|
''}
|
|
|
|
|
|
|
|
PermitRootLogin ${cfg.permitRootLogin}
|
|
|
|
GatewayPorts ${cfg.gatewayPorts}
|
2011-07-12 12:34:27 +02:00
|
|
|
PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
|
2012-04-01 12:54:17 +02:00
|
|
|
ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
|
2010-10-18 12:31:41 +02:00
|
|
|
'';
|
|
|
|
|
2012-04-26 10:13:24 +02:00
|
|
|
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
|
2012-04-01 12:54:06 +02:00
|
|
|
message = "cannot enable X11 forwarding without setting xauth location";}];
|
2009-03-06 13:26:08 +01:00
|
|
|
};
|
2009-07-15 17:53:39 +02:00
|
|
|
|
2006-11-23 18:43:28 +01:00
|
|
|
}
|