Commit graph

57 commits

Author SHA1 Message Date
Eelco Dolstra ae4e94d9ac Rename ‘boot.systemd’ to ‘systemd’
Suggested by Mathijs Kwik.  ‘boot.systemd’ is a misnomer because
systemd affects more than just booting.  And it saves some typing.
2013-01-16 12:33:18 +01:00
Eelco Dolstra 96ba0ca283 For some units, use "systemctl restart" rather than "systemctl stop/start"
During a configuration switch, changed units are stopped in the old
configuration, then started in the new configuration (i.e. after
running the activation script and running "systemctl daemon-reload").
This ensures that services are stopped using the ExecStop/ExecStopPost
commands from the old configuration.

However, for some services it's undesirable to stop them; in
particular dhcpcd, which deconfigures its network interfaces when it
stops.  This is dangerous when doing remote upgrades - usually things
go right (especially because the switch script ignores SIGHUP), but
not always (see 9aa69885f0).  Likewise,
sshd should be kept running for as long as possible to prevent a
lock-out if the switch fails.

So the new option ‘stopIfChanged = false’ causes "systemctl restart"
to be used instead of "systemctl stop" followed by "systemctl start".
This is only proper for services that don't have stop commands.  (And
it might not handle dependencies properly in some cases, but I'm not
sure.)
2013-01-05 01:05:25 +01:00
Eelco Dolstra 97ae408e83 Merge remote-tracking branch 'origin/master' into systemd 2012-12-11 17:40:39 +01:00
Eelco Dolstra 78bd54ca80 Allow setting additional AuthorizedKeysFiles
Charon needs this to include the dynamically generated
/root/.vbox-charon-client-key.  (We used
users.extraUsers.root.openssh.authorizedKeys.keyFiles for this, but
that no longer works.)
2012-12-11 17:29:34 +01:00
Eelco Dolstra eda051cff5 Remove abuse of "with" 2012-12-11 17:14:52 +01:00
Rickard Nilsson 68872f81cf openssh: Change the way authorized keys are added to the system.
Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
2012-12-11 17:02:39 +01:00
Peter Simons cd372c62ea modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-29 12:46:30 +01:00
Peter Simons b43e219aeb modules/services/networking/ssh/sshd.nix: configure AddressFamily properly
Explicitly restrict sshd to use of IPv4 addresses if IPv6 support is not enabled.
2012-10-24 19:01:38 +02:00
Eelco Dolstra 224c825a36 Add option ‘users.motd’ for setting a message of the day shown on login
Note that this uses pam_motd.
2012-10-23 09:10:48 -04:00
Eelco Dolstra a5969634f4 sshd: Do detach into the background
This is necessary to ensure that jobs that need to start after sshd
work properly.

This reverts 03f13a4939.
2012-10-04 23:38:27 -04:00
Eelco Dolstra 891be375b5 Make unitConfig/serviceConfig attribute sets
So instead of:

  boot.systemd.services."foo".serviceConfig =
    ''
      StartLimitInterval=10
      CPUShare=500
    '';

you can say:

  boot.systemd.services."foo".serviceConfig.StartLimitInterval = 10;
  boot.systemd.services."foo".serviceConfig.CPUShare = 500;

This way all unit options are available and users can set/override
options in configuration.nix.
2012-10-01 16:27:42 -04:00
Peter Simons 03f13a4939 Tell sshd not to detach into the background.
This makes it easier for systemd to track it and avoids race conditions such as
this one:

  systemd[1]: PID file /run/sshd.pid not readable (yet?) after start.
  systemd[1]: Failed to start SSH Daemon.
  systemd[1]: Unit sshd.service entered failed state.
  systemd[1]: sshd.service holdoff time over, scheduling restart.
  systemd[1]: Stopping SSH Daemon...
  systemd[1]: Starting SSH Daemon...
  sshd[2315]: Server listening on 0.0.0.0 port 22.
  sshd[2315]: Server listening on :: port 22.
  sshd[2335]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
  sshd[2335]: error: Bind to port 22 on :: failed: Address already in use.
  sshd[2335]: fatal: Cannot bind any address.
  systemd[1]: Started SSH Daemon.
2012-09-28 17:38:24 +02:00
Eelco Dolstra b02c488fde Automatically append ".service" to the name of service units 2012-08-23 10:25:27 -04:00
Eelco Dolstra 490ce3a230 PAM: Rename ownDevices to startSession
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
2012-08-17 13:48:22 -04:00
Eelco Dolstra b91aa1599c sshd.nix: Disable password logins for root by default 2012-08-17 13:32:23 -04:00
Eelco Dolstra ae62436697 Random changes 2012-07-19 17:33:22 -04:00
Eelco Dolstra 44d091674b Merge branch 'master' of github.com:NixOS/nixos into systemd
Conflicts:
	modules/config/networking.nix
	modules/services/networking/ssh/sshd.nix
	modules/services/ttys/agetty.nix
	modules/system/boot/stage-2-init.sh
	modules/system/upstart-events/shutdown.nix
2012-07-16 17:27:11 -04:00
Eelco Dolstra 73532c3855 Global replace /var/run/current-system -> /run/current-system 2012-07-16 11:34:21 -04:00
Eelco Dolstra 57d74e6f4f openssh.authorizedKeys.keyFiles: allow multiple keys
Ugly hack to get around the error "a string that refers to a store
path cannot be appended to a path".  The underlying problem is that
you cannot do

  "${./file1} ${./file2}"

but you can do

  " ${./file1} ${./file2}"

Obviously we should allow the first case as well.
2012-07-13 17:59:03 -04:00
Eelco Dolstra 7e77dae458 sshd.nix: Create ~/.ssh/authorized_keys with the right ownership 2012-07-13 11:48:47 -04:00
Eelco Dolstra 352510c208 Add an option ‘boot.systemd.services’
This option makes it more convenient to define services because it
automates stuff like setting $PATH, having a pre-start script, and so on.
2012-06-18 15:28:31 -04:00
Eelco Dolstra 42ee3b4209 Add a ‘wantedBy’ attribute to unit definitions
This attribute allows a unit to make itself a dependency of another unit.

Also, add an option to set the default target unit.
2012-06-17 23:31:21 -04:00
Eelco Dolstra 4a95f8996b To ease migration to systemd, generate units from the ‘jobs’ option
Also get rid of the ‘buildHook’ job option because it wasn't very useful.
2012-06-16 00:19:43 -04:00
Eelco Dolstra a46894b960 Get lots more systemd stuff working
Enabled a bunch of units that ship with systemd.  Also added an option
‘boot.systemd.units’ that can be used to define additional units
(e.g. ‘sshd.service’).
2012-06-14 18:44:56 -04:00
Rickard Nilsson 35f9502a27 Added option for specifying the path to the private key file sshd should use.
svn path=/nixos/trunk/; revision=34039
2012-05-09 22:13:53 +00:00
Rickard Nilsson 658ea20e7f Added option for specifying system-wide known hosts file for OpenSSH.
svn path=/nixos/trunk/; revision=34038
2012-05-09 22:11:07 +00:00
Peter Simons 86ba0c52b3 modules/services/networking/ssh/sshd.nix: stripped trailing whitespace
svn path=/nixos/trunk/; revision=33926
2012-04-26 08:13:24 +00:00
Peter Simons ee2fcb645b modules/services/networking/ssh/sshd.nix: don't write debug output to /tmp/log
svn path=/nixos/trunk/; revision=33925
2012-04-26 08:13:21 +00:00
Eelco Dolstra e6fd0fa893 * Cleanup.
svn path=/nixos/trunk/; revision=33921
2012-04-25 15:44:47 +00:00
Eelco Dolstra 43215ff80f * In the implementation of the ‘authorizedKeys’, don't delete all
lines below a certain marker.  This is undesirable because commands
  like "ssh-copy-id" add keys to the end of the file.  Instead mark
  all automatically added lines individually.

svn path=/nixos/trunk/; revision=33918
2012-04-25 14:14:20 +00:00
Mathijs Kwik a1e86494d0 made challenge-response authentication method configurable for openssh
challenge-response is an authentication method that does not need the
plain text password to be emitted over the (encrypted) connection.
This is nice if you don't fully trust the server.

It is enabled (upstream) by default.

To the end user, it still looks like normal password authentication,
but instead of sending it, it is used to hash some challenge.

This means that if you don't want passwords to be used ever at all,
and just stick to public key authentication, you probably want to
disable this option too.

svn path=/nixos/trunk/; revision=33513
2012-04-01 10:54:17 +00:00
Mathijs Kwik de5b437004 assertions '.msg' doesn't exist => .message
svn path=/nixos/trunk/; revision=33508
2012-04-01 10:54:06 +00:00
Mathijs Kwik f31fefdfd9 splitted ssh/sshd X11 forwarding logic. Backward compatible change.
You can now set the forwardX11 config option for the ssh client and server separately.

For server, the option means "allow clients to request X11 forwarding".
For client, the option means "request X11 forwarding by default on all connections".

I don't think it made sense to couple them. I might not even run the server on some machines.
Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it,
I use the -X/-Y option, or set it in my ~/.ssh/config.

I also decoupled the 'XAuthLocation' logic from forwardX11.
For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it.

As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now.

svn path=/nixos/trunk/; revision=33407
2012-03-25 15:42:05 +00:00
Eelco Dolstra acea54b3c6 * In the users...keyFiles option, the "string" type doesn't work very
well because elements could be paths, e.g.

    users.extraUsers.root.openssh.authorizedKeys.keyFiles =
      [ ./id_key.pub ];

  So disable the type check for now.

svn path=/nixos/trunk/; revision=32558
2012-02-25 17:31:39 +00:00
Peter Simons 90adc800c5 sshd: choose host key type
svn path=/nixos/trunk/; revision=32479
2012-02-22 20:28:54 +00:00
Nicolas Pierron e264d1ab79 Convert users.extraUsers to an option set and add support for openssh
authorized_keys file generation.

svn path=/nixos/trunk/; revision=30611
2011-11-29 06:08:55 +00:00
Peter Simons 0ffb794d5d modules/services/networking/ssh/sshd.nix: strip trailing whitespace
svn path=/nixos/trunk/; revision=27733
2011-07-12 10:34:30 +00:00
Peter Simons ea84edd528 modules/services/networking/ssh/sshd.nix: added new boolean options usePAM and passwordAuthentication
Setting both of these options to 'false' configures the OpenSSH daemon to
reject password authentication, i.e. users must have an appropriate key in
~/.ssh/authorized_keys in order to be able to log in.

svn path=/nixos/trunk/; revision=27732
2011-07-12 10:34:27 +00:00
Eelco Dolstra 2bb4a618e2 * Added an option "services.openssh.extraConfig" that allows
setting arbitrary options in sshd_config, e.g.,

    services.openssh.extraConfig = "PermitTunnel yes";

svn path=/nixos/trunk/; revision=24341
2010-10-18 10:31:41 +00:00
Lluís Batlle i Rossell 4ee2a8a29a Fixing the UTF-8 in openssh sshd (passing to it the LOCALE_ARCHIVE - that
requieres a patch in openssh that I just commited to nixpkgs)

Before this, in the shell spawned, backspace could not work over UTF-8 strings in the readline.


svn path=/nixos/trunk/; revision=21679
2010-05-09 12:45:57 +00:00
Eelco Dolstra 176f6c52dd * Change the name of the SSH privilege separation user account back to
"sshd" because changing it to "opensshd" causes breakage (like the
  activation script saying "useradd: UID 2 is not unique.").  Also,
  OpenSSH requires it to be named "sshd", I think.

svn path=/nixos/trunk/; revision=20577
2010-03-11 18:07:20 +00:00
Ludovic Courtès 8e16742b79 Update users of `services.sshd'.
svn path=/nixos/trunk/; revision=20575
2010-03-11 17:02:53 +00:00
Ludovic Courtès d1b4b7fd28 Rename services.sshd' to services.openssh'.
svn path=/nixos/trunk/; revision=20574
2010-03-11 17:02:49 +00:00
Eelco Dolstra 051e9342b3 * Use the moduli file. This shuts up the "WARNING: /etc/ssh/moduli
does not exist, using fixed modulus" message in /var/log/messages.

svn path=/nixos/trunk/; revision=19754
2010-02-01 17:05:02 +00:00
Marc Weber 4d7e344f69 Adding initial version of the nixos cd insallation test script using
qemu_kvm. Installation doesn't take place yet. VM is started
printing a remote controlled "Hello".

This serves as example how to run a vm within a bulid job.

svn path=/nixos/trunk/; revision=18887
2009-12-11 00:51:13 +00:00
Rob Vermaas 038180bab8 * sshd.nix: ports attribute, to allow listening to multiple ports
svn path=/nixos/trunk/; revision=18877
2009-12-10 14:45:41 +00:00
Eelco Dolstra 9fa2f12cc2 * Do some more jobs.
svn path=/nixos/branches/upstart-0.6/; revision=18212
2009-11-06 15:46:56 +00:00
Eelco Dolstra eba8f94069 * jobAttrs -> jobs.
svn path=/nixos/trunk/; revision=17769
2009-10-12 18:09:34 +00:00
Marc Weber 7e72788a39 rewrite sshd using jobAtts serving as example
svn path=/nixos/trunk/; revision=17651
2009-10-05 18:31:30 +00:00
Nicolas Pierron 5980d130c9 Check sshd.permitRootLogin values.
svn path=/nixos/trunk/; revision=16769
2009-08-19 15:04:05 +00:00