diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-18 00:45:26 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-18 00:45:26 +0200 |
commit | ffedee6ed523864dd5f871ffd85e3c2099d579a2 (patch) | |
tree | 56f38409025243eaffb154c518f6b525945c7231 /nixos/modules/services/x11 | |
parent | e34a1589fe1e2cd37a4d47a0dbf6c5791719e0f1 (diff) | |
download | nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.gz nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.bz2 nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.lz nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.xz nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.tar.zst nixlib-ffedee6ed523864dd5f871ffd85e3c2099d579a2.zip |
Start ssh-agent as a user unit
This has some advantages: * You get ssh-agent regardless of how you logged in. Previously it was only started for X11 sessions. * All sessions of a user share the same agent. So if you added a key on tty1, it will also be available on tty2. * Systemd will restart ssh-agent if it dies. * $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is more secure than /tmp. For bonus points, we should patch ssh-agent to support socket-based activation...
Diffstat (limited to 'nixos/modules/services/x11')
-rw-r--r-- | nixos/modules/services/x11/display-managers/default.nix | 11 | ||||
-rw-r--r-- | nixos/modules/services/x11/xserver.nix | 17 |
2 files changed, 3 insertions, 25 deletions
diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 2deff602982b..3bf18bd58c84 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -51,17 +51,6 @@ let ''} - ${optionalString cfg.startOpenSSHAgent '' - if test -z "$SSH_AUTH_SOCK"; then - # Restart this script as a child of the SSH agent. (It is - # also possible to start the agent as a child that prints - # the required environment variabled on stdout, but in - # that mode ssh-agent is not terminated when we log out.) - export SSH_ASKPASS=${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass - exec ${pkgs.openssh}/bin/ssh-agent "$0" "$sessionType" - fi - ''} - ${optionalString cfg.startGnuPGAgent '' if test -z "$SSH_AUTH_SOCK"; then # Restart this script as a child of the GnuPG agent. diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 1f02bfd6ef37..65f93b544996 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -201,17 +201,6 @@ in ''; }; - startOpenSSHAgent = mkOption { - type = types.bool; - default = true; - description = '' - Whether to start the OpenSSH agent when you log in. The OpenSSH agent - remembers private keys for you so that you don't have to type in - passphrases every time you make an SSH connection. Use - <command>ssh-add</command> to add a key to the agent. - ''; - }; - startGnuPGAgent = mkOption { type = types.bool; default = false; @@ -400,11 +389,11 @@ in hardware.opengl.videoDrivers = mkIf (cfg.videoDriver != null) [ cfg.videoDriver ]; assertions = - [ { assertion = !(cfg.startOpenSSHAgent && cfg.startGnuPGAgent); + [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent); message = '' - The OpenSSH agent and GnuPG agent cannot be started both. - Choose between `startOpenSSHAgent' and `startGnuPGAgent'. + The OpenSSH agent and GnuPG agent cannot be started both. Please + choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’. ''; } { assertion = config.security.polkit.enable; |