diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-18 00:45:26 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-18 00:45:26 +0200 |
commit | ffedee6ed523864dd5f871ffd85e3c2099d579a2 (patch) | |
tree | 56f38409025243eaffb154c518f6b525945c7231 /nixos/modules/programs | |
parent | e34a1589fe1e2cd37a4d47a0dbf6c5791719e0f1 (diff) | |
download | nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.gz nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.bz2 nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.lz nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.xz nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.zst nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.zip |
Start ssh-agent as a user unit
This has some advantages: * You get ssh-agent regardless of how you logged in. Previously it was only started for X11 sessions. * All sessions of a user share the same agent. So if you added a key on tty1, it will also be available on tty2. * Systemd will restart ssh-agent if it dies. * $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is more secure than /tmp. For bonus points, we should patch ssh-agent to support socket-based activation...
Diffstat (limited to 'nixos/modules/programs')
-rw-r--r-- | nixos/modules/programs/ssh.nix | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 27db667e4402..005c77d255cb 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -47,7 +47,20 @@ in for help. ''; }; + + startAgent = mkOption { + type = types.bool; + default = true; + description = '' + Whether to start the OpenSSH agent when you log in. The OpenSSH agent + remembers private keys for you so that you don't have to type in + passphrases every time you make an SSH connection. Use + <command>ssh-add</command> to add a key to the agent. + ''; + }; + }; + }; config = { @@ -71,5 +84,25 @@ in target = "ssh/ssh_config"; } ]; + + # FIXME: this should really be socket-activated for über-awesomeness. + systemd.user.services.ssh-agent = + { enable = cfg.startAgent; + description = "SSH Agent"; + wantedBy = [ "default.target" ]; + serviceConfig = + { ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent"; + Type = "forking"; + Restart = "on-failure"; + }; + }; + + environment.extraInit = optionalString cfg.startAgent + '' + if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent" + fi + ''; + }; } |