diff options
Diffstat (limited to 'nixos/modules/services/networking/ssh/sshd.nix')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 62 |
1 files changed, 54 insertions, 8 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index aab1203086ce..7b2d1920f0f1 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -49,7 +49,7 @@ let ${concatMapStrings (f: readFile f + "\n") u.openssh.authorizedKeys.keyFiles} ''; }; - usersWithKeys = attrValues (flip filterAttrs config.users.extraUsers (n: u: + usersWithKeys = attrValues (flip filterAttrs config.users.users (n: u: length u.openssh.authorizedKeys.keys != 0 || length u.openssh.authorizedKeys.keyFiles != 0 )); in listToAttrs (map mkAuthKeyFile usersWithKeys); @@ -198,6 +198,10 @@ in [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; + example = + [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; openSSHFormat = true; } + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; comment = "key comment"; } + ]; description = '' NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See @@ -272,6 +276,31 @@ in ''; }; + logLevel = mkOption { + type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; + default = "VERBOSE"; + description = '' + Gives the verbosity level that is used when logging messages from sshd(8). The possible values are: + QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is VERBOSE. DEBUG and DEBUG1 + are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level + violates the privacy of users and is not recommended. + + LogLevel VERBOSE logs user's key fingerprint on login. + Needed to have a clear audit track of which key was used to log in. + ''; + }; + + useDns = mkOption { + type = types.bool; + default = false; + description = '' + Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for + the remote IP address maps back to the very same IP address. + If this option is set to no (the default) then only addresses and not host names may be used in + ~/.ssh/authorized_keys from and sshd_config Match Host directives. + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -301,7 +330,7 @@ in config = mkIf cfg.enable { - users.extraUsers.sshd = + users.users.sshd = { isSystemUser = true; description = "SSH privilege separation user"; }; @@ -309,7 +338,9 @@ in services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; environment.etc = authKeysFiles // - { "ssh/moduli".source = cfg.moduliFile; }; + { "ssh/moduli".source = cfg.moduliFile; + "ssh/sshd_config".text = cfg.extraConfig; + }; systemd = let @@ -331,7 +362,14 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' if ! [ -f "${k.path}" ]; then - ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N "" + ssh-keygen \ + -t "${k.type}" \ + ${if k ? bits then "-b ${toString k.bits}" else ""} \ + ${if k ? rounds then "-a ${toString k.rounds}" else ""} \ + ${if k ? comment then "-C '${k.comment}'" else ""} \ + ${if k ? openSSHFormat && k.openSSHFormat then "-o" else ""} \ + -f "${k.path}" \ + -N "" fi '')} ''; @@ -340,7 +378,7 @@ in { ExecStart = (optionalString cfg.startWhenNeeded "-") + "${cfgc.package}/bin/sshd " + (optionalString cfg.startWhenNeeded "-i ") + - "-f ${pkgs.writeText "sshd_config" cfg.extraConfig}"; + "-f /etc/ssh/sshd_config"; KillMode = "process"; } // (if cfg.startWhenNeeded then { StandardInput = "socket"; @@ -377,6 +415,9 @@ in unixAuth = cfg.passwordAuthentication; }; + # These values are merged with the ones defined externally, see: + # https://github.com/NixOS/nixpkgs/pull/10155 + # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; @@ -426,9 +467,14 @@ in Ciphers ${concatStringsSep "," cfg.ciphers} MACs ${concatStringsSep "," cfg.macs} - # LogLevel VERBOSE logs user's key fingerprint on login. - # Needed to have a clear audit track of which key was used to log in. - LogLevel VERBOSE + LogLevel ${cfg.logLevel} + + ${if cfg.useDns then '' + UseDNS yes + '' else '' + UseDNS no + ''} + ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; |