diff options
Diffstat (limited to 'nixpkgs/nixos/modules/programs/ssh.nix')
| -rw-r--r-- | nixpkgs/nixos/modules/programs/ssh.nix | 85 |
1 files changed, 48 insertions, 37 deletions
diff --git a/nixpkgs/nixos/modules/programs/ssh.nix b/nixpkgs/nixos/modules/programs/ssh.nix index b31fce915240..9c4a95ef22c6 100644 --- a/nixpkgs/nixos/modules/programs/ssh.nix +++ b/nixpkgs/nixos/modules/programs/ssh.nix @@ -40,20 +40,20 @@ in type = types.bool; default = config.services.xserver.enable; defaultText = literalExpression "config.services.xserver.enable"; - description = "Whether to configure SSH_ASKPASS in the environment."; + description = lib.mdDoc "Whether to configure SSH_ASKPASS in the environment."; }; askPassword = mkOption { type = types.str; default = "${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"; defaultText = literalExpression ''"''${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"''; - description = "Program used by SSH to ask for passwords."; + description = lib.mdDoc "Program used by SSH to ask for passwords."; }; forwardX11 = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to request X11 forwarding on outgoing connections by default. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. @@ -66,8 +66,8 @@ in setXAuthLocation = mkOption { type = types.bool; - description = '' - Whether to set the path to <command>xauth</command> for X11-forwarded connections. + description = lib.mdDoc '' + Whether to set the path to {command}`xauth` for X11-forwarded connections. This causes a dependency on X11 packages. ''; }; @@ -76,7 +76,7 @@ in type = types.listOf types.str; default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; - description = '' + description = lib.mdDoc '' Specifies the key types that will be used for public key authentication. ''; }; @@ -85,7 +85,7 @@ in type = types.listOf types.str; default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; - description = '' + description = lib.mdDoc '' Specifies the host key algorithms that the client wants to use in order of preference. ''; }; @@ -95,7 +95,7 @@ in default = ""; description = '' Extra configuration text prepended to <filename>ssh_config</filename>. Other generated - options will be added after a <code>Host *</code> pattern. + options will be added after a <literal>Host *</literal> pattern. See <citerefentry><refentrytitle>ssh_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> for help. ''; @@ -104,11 +104,11 @@ in startAgent = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don't have to type in passphrases every time you make an SSH connection. Use - <command>ssh-add</command> to add a key to the agent. + {command}`ssh-add` to add a key to the agent. ''; }; @@ -116,7 +116,7 @@ in type = types.nullOr types.str; default = null; example = "1h"; - description = '' + description = lib.mdDoc '' How long to keep the private keys in memory. Use null to keep them forever. ''; }; @@ -125,7 +125,7 @@ in type = types.nullOr types.str; default = null; example = literalExpression ''"''${pkgs.opensc}/lib/opensc-pkcs11.so"''; - description = '' + description = lib.mdDoc '' A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add. ''; @@ -135,7 +135,7 @@ in type = types.package; default = pkgs.openssh; defaultText = literalExpression "pkgs.openssh"; - description = '' + description = lib.mdDoc '' The package used for the openssh client and daemon. ''; }; @@ -147,7 +147,7 @@ in certAuthority = mkOption { type = types.bool; default = false; - description = '' + description = lib.mdDoc '' This public key is an SSH certificate authority, rather than an individual host's key. ''; @@ -156,27 +156,32 @@ in type = types.listOf types.str; default = [ name ] ++ config.extraHostNames; defaultText = literalExpression "[ ${name} ] ++ config.${options.extraHostNames}"; - description = '' - DEPRECATED, please use <literal>extraHostNames</literal>. + description = lib.mdDoc '' A list of host names and/or IP numbers used for accessing - the host's ssh service. + the host's ssh service. This list includes the name of the + containing `knownHosts` attribute by default + for convenience. If you wish to configure multiple host keys + for the same host use multiple `knownHosts` + entries with different attribute names and the same + `hostNames` list. ''; }; extraHostNames = mkOption { type = types.listOf types.str; default = []; - description = '' + description = lib.mdDoc '' A list of additional host names and/or IP numbers used for - accessing the host's ssh service. + accessing the host's ssh service. This list is ignored if + `hostNames` is set explicitly. ''; }; publicKey = mkOption { default = null; type = types.nullOr types.str; example = "ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="; - description = '' + description = lib.mdDoc '' The public key data for the host. You can fetch a public key - from a running SSH server with the <command>ssh-keyscan</command> + from a running SSH server with the {command}`ssh-keyscan` command. The public key should not include any host names, only the key type and the key itself. ''; @@ -184,21 +189,26 @@ in publicKeyFile = mkOption { default = null; type = types.nullOr types.path; - description = '' + description = lib.mdDoc '' The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server - with the <command>ssh-keyscan</command> command. The content + with the {command}`ssh-keyscan` command. The content of the file should follow the same format as described for - the <literal>publicKey</literal> option. Only a single key + the `publicKey` option. Only a single key is supported. If a host has multiple keys, use - <option>programs.ssh.knownHostsFiles</option> instead. + {option}`programs.ssh.knownHostsFiles` instead. ''; }; }; })); - description = '' - The set of system-wide known SSH hosts. + description = lib.mdDoc '' + The set of system-wide known SSH hosts. To make simple setups more + convenient the name of an attribute in this set is used as a host name + for the entry. This behaviour can be disabled by setting + `hostNames` explicitly. You can use + `extraHostNames` to add additional host names without + disabling this default. ''; example = literalExpression '' { @@ -207,6 +217,10 @@ in publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub; }; "myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK"; + "myhost2.net/dsa" = { + hostNames = [ "myhost2.net" ]; + publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub; + }; } ''; }; @@ -214,11 +228,11 @@ in knownHostsFiles = mkOption { default = []; type = with types; listOf path; - description = '' + description = lib.mdDoc '' Files containing SSH host keys to set as global known hosts. - <literal>/etc/ssh/ssh_known_hosts</literal> (which is - generated by <option>programs.ssh.knownHosts</option>) and - <literal>/etc/ssh/ssh_known_hosts2</literal> are always + `/etc/ssh/ssh_known_hosts` (which is + generated by {option}`programs.ssh.knownHosts`) and + `/etc/ssh/ssh_known_hosts2` are always included. ''; example = literalExpression '' @@ -237,7 +251,7 @@ in type = types.nullOr (types.listOf types.str); default = null; example = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; - description = '' + description = lib.mdDoc '' Specifies the available KEX (Key Exchange) algorithms. ''; }; @@ -246,7 +260,7 @@ in type = types.nullOr (types.listOf types.str); default = null; example = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" ]; - description = '' + description = lib.mdDoc '' Specifies the ciphers allowed and their order of preference. ''; }; @@ -255,7 +269,7 @@ in type = types.nullOr (types.listOf types.str); default = null; example = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha1" ]; - description = '' + description = lib.mdDoc '' Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection. ''; @@ -279,9 +293,6 @@ in message = "knownHost ${name} must contain either a publicKey or publicKeyFile"; }); - warnings = mapAttrsToList (name: _: ''programs.ssh.knownHosts.${name}.hostNames is deprecated, use programs.ssh.knownHosts.${name}.extraHostNames'') - (filterAttrs (name: {hostNames, extraHostNames, ...}: hostNames != [ name ] ++ extraHostNames) cfg.knownHosts); - # SSH configuration. Slight duplication of the sshd_config # generation in the sshd service. environment.etc."ssh/ssh_config".text = |