ssh: Support knownHost public keys as strings

author: William A. Kennington III <william@wkennington.com> 2014-04-27 17:01:06 -0500
committer: William A. Kennington III <william@wkennington.com> 2014-05-01 16:21:25 -0500
commit: 78c33177ce93cf0ce4142b1e19e7583ebd96e7b9 (patch)
tree: d1dcbbd6f82714761de364ee0343ee1ed2fac42e /nixos
parent: 65a78e16f1485d3d100c9e42458dd13f579d5484 (diff)
download: nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar
nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.gz
nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.bz2
nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.lz
nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.xz
nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.zst
nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.zip
1 files changed, 20 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 554cc6a1c3fc..4a60e59b20b6 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -18,9 +18,9 @@ let
   knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
 
   knownHostsFile = pkgs.writeText "ssh_known_hosts" (
-    flip concatMapStrings knownHosts (h:
-      "${concatStringsSep "," h.hostNames} ${readFile h.publicKeyFile}"
-    )
+    flip concatMapStrings knownHosts (h: ''
+      ${concatStringsSep "," h.hostNames} ${if h.publicKey != null then h.publicKey else readFile h.publicKeyFile}
+    '')
   );
 
   userOptions = {
@@ -218,7 +218,18 @@ in
               the host's ssh service.
             '';
           };
+          publicKey = mkOption {
+            default = null;
+            type = types.nullOr types.string;
+            description = ''
+              The public key data for the host. You can fetch a public key
+              from a running SSH server with the <command>ssh-keyscan</command>
+              command.
+            '';
+          };
           publicKeyFile = mkOption {
+            default = null;
+            type = types.nullOr types.unspecified;
             description = ''
               The path to the public key file for the host. The public
               key file is read at build time and saved in the Nix store.
@@ -367,7 +378,12 @@ in
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
-                    message = "cannot enable X11 forwarding without setting xauth location";}];
+                    message = "cannot enable X11 forwarding without setting xauth location";}]
+      ++ flip mapAttrsToList cfg.knownHosts (name: data: {
+        assertion = (data.publicKey == null && data.publicKeyFile != null) ||
+                    (data.publicKey != null && data.publicKeyFile == null);
+        message = "knownHost ${name} must contain either a publicKey or publicKeyFile";
+      });
 
   };
author	William A. Kennington III <william@wkennington.com>	2014-04-27 17:01:06 -0500
committer	William A. Kennington III <william@wkennington.com>	2014-05-01 16:21:25 -0500
commit	78c33177ce93cf0ce4142b1e19e7583ebd96e7b9 (patch)
tree	d1dcbbd6f82714761de364ee0343ee1ed2fac42e /nixos
parent	65a78e16f1485d3d100c9e42458dd13f579d5484 (diff)
download	nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.gz nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.bz2 nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.lz nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.xz nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.tar.zst nixlib-78c33177ce93cf0ce4142b1e19e7583ebd96e7b9.zip