nixpkgs/modules/programs/ssh.nix

# Global configuration for the SSH client.

{config, pkgs, ...}:

with pkgs.lib;

let cfg  = config.programs.ssh;
    cfgd = config.services.openssh;

in
{
  ###### interface

  options = {

    programs.ssh = {

      forwardX11 = mkOption {
        default = false;
        description = ''
          Whether to request X11 forwarding on outgoing connections by default.
          This is useful for running graphical programs on the remote machine and have them display to your local X11 server.
          Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.
          Note: there are some security risks to forwarding an X11 connection.
          NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.
          To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.
          The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.
        '';
      };

      setXAuthLocation = mkOption {
        default = true;
        description = ''
          Whether to set the path to xauth for X11-forwarded connections.
          Pulls in X11 dependency.
        '';
      };
    };
  };

  assertions = [{ assertion = if cfg.forwardX11 then cfg.setXAuthLocation else true;
                  message = "cannot enable X11 forwarding without setting xauth location";}];

  config = {
    environment.etc =
      [ { # SSH configuration.  Slight duplication of the sshd_config
          # generation in the sshd service.
          source = pkgs.writeText "ssh_config" ''
            AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
            ${optionalString cfg.setXAuthLocation ''
              XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
            ''}
            ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
          '';
          target = "ssh/ssh_config";
        }
      ];
  };
}
* New directory modules/programs that contains system-wide configuration for specific programs. For instance, ssh.nix provides the configuration for the SSH client; ssmtp.nix provides the configuration for the `ssmtp' MTA. svn path=/nixos/branches/modular-nixos/; revision=15757 2009-05-28 01:59:14 +02:00			`# Global configuration for the SSH client.`

			`{config, pkgs, ...}:`

splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00			`with pkgs.lib;`

			`let cfg = config.programs.ssh;`
			`cfgd = config.services.openssh;`

			`in`
* New directory modules/programs that contains system-wide configuration for specific programs. For instance, ssh.nix provides the configuration for the SSH client; ssmtp.nix provides the configuration for the `ssmtp' MTA. svn path=/nixos/branches/modular-nixos/; revision=15757 2009-05-28 01:59:14 +02:00			`{`
splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00			`###### interface`

			`options = {`

			`programs.ssh = {`

			`forwardX11 = mkOption {`
Change the default value of programs.ssh.forwardX11 to false. Forwarding X11 to untrusted servers is extremely insecure; see for example http://www.hackinglinuxexposed.com/articles/20040705.html 2012-10-10 08:21:45 +02:00			`default = false;`
splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00			`description = ''`
			`Whether to request X11 forwarding on outgoing connections by default.`
			`This is useful for running graphical programs on the remote machine and have them display to your local X11 server.`
			`Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two.`
Fixed the documentation for programs.ssh.forwardX11 to account for the X11 SECURITY extension. 2012-11-18 20:05:18 +01:00			`Note: there are some security risks to forwarding an X11 connection.`
			`NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks.`
Change the default value of programs.ssh.forwardX11 to false. Forwarding X11 to untrusted servers is extremely insecure; see for example http://www.hackinglinuxexposed.com/articles/20040705.html 2012-10-10 08:21:45 +02:00			`To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh.`
Fixed the documentation for programs.ssh.forwardX11 to account for the X11 SECURITY extension. 2012-11-18 20:05:18 +01:00			`The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.`
* New directory modules/programs that contains system-wide configuration for specific programs. For instance, ssh.nix provides the configuration for the SSH client; ssmtp.nix provides the configuration for the `ssmtp' MTA. svn path=/nixos/branches/modular-nixos/; revision=15757 2009-05-28 01:59:14 +02:00			`'';`
splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00			`};`

			`setXAuthLocation = mkOption {`
			`default = true;`
			`description = ''`
			`Whether to set the path to xauth for X11-forwarded connections.`
			`Pulls in X11 dependency.`
			`'';`
			`};`
			`};`
			`};`

modules/programs/ssh.nix: strip trailing whitespace 2012-10-29 17:10:46 +01:00			`assertions = [{ assertion = if cfg.forwardX11 then cfg.setXAuthLocation else true;`
assertions '.msg' doesn't exist => .message svn path=/nixos/trunk/; revision=33508 2012-04-01 12:54:06 +02:00			`message = "cannot enable X11 forwarding without setting xauth location";}];`
splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00
			`config = {`
			`environment.etc =`
			`[ { # SSH configuration. Slight duplication of the sshd_config`
			`# generation in the sshd service.`
			`source = pkgs.writeText "ssh_config" ''`
modules/programs/ssh.nix: configure AddressFamily properly Explicitly restrict ssh clients to use of IPv4 addresses if IPv6 support is not enabled. 2012-10-29 17:10:17 +01:00			`AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}`
splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00			`${optionalString cfg.setXAuthLocation ''`
			`XAuthLocation ${pkgs.xorg.xauth}/bin/xauth`
			`''}`
modules/programs/ssh.nix: simplify expression that generates 'ForwardX11' entry 2012-10-29 17:10:37 +01:00			`ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}`
splitted ssh/sshd X11 forwarding logic. Backward compatible change. You can now set the forwardX11 config option for the ssh client and server separately. For server, the option means "allow clients to request X11 forwarding". For client, the option means "request X11 forwarding by default on all connections". I don't think it made sense to couple them. I might not even run the server on some machines. Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it, I use the -X/-Y option, or set it in my ~/.ssh/config. I also decoupled the 'XAuthLocation' logic from forwardX11. For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it. As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now. svn path=/nixos/trunk/; revision=33407 2012-03-25 17:42:05 +02:00			`'';`
			`target = "ssh/ssh_config";`
			`}`
			`];`
			`};`
* New directory modules/programs that contains system-wide configuration for specific programs. For instance, ssh.nix provides the configuration for the SSH client; ssmtp.nix provides the configuration for the `ssmtp' MTA. svn path=/nixos/branches/modular-nixos/; revision=15757 2009-05-28 01:59:14 +02:00			`}`