diff options
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/ssh/sshd.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/ssh/sshd.nix | 56 |
1 files changed, 51 insertions, 5 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index 942317f8da74..1946e9e79e98 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -27,13 +27,11 @@ let mkValueString = mkValueStringSshd; } " ";}); - configFile = settingsFormat.generate "config" cfg.settings; - sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' + configFile = settingsFormat.generate "sshd.conf-settings" cfg.settings; + sshconf = pkgs.runCommand "sshd.conf-final" { } '' cat ${configFile} - >$out <<EOL ${cfg.extraConfig} EOL - - sshd -G -f $out ''; cfg = config.services.openssh; @@ -76,6 +74,19 @@ let }; }; + options.openssh.authorizedPrincipals = mkOption { + type = with types; listOf types.singleLineStr; + default = []; + description = mdDoc '' + A list of verbatim principal names that should be added to the user's + authorized principals. + ''; + example = [ + "example@host" + "foo@bar" + ]; + }; + }; authKeysFiles = let @@ -91,6 +102,16 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); + authPrincipalsFiles = let + mkAuthPrincipalsFile = u: nameValuePair "ssh/authorized_principals.d/${u.name}" { + mode = "0444"; + text = concatStringsSep "\n" u.openssh.authorizedPrincipals; + }; + usersWithPrincipals = attrValues (flip filterAttrs config.users.users (n: u: + length u.openssh.authorizedPrincipals != 0 + )); + in listToAttrs (map mkAuthPrincipalsFile usersWithPrincipals); + in { @@ -287,6 +308,14 @@ in type = types.submodule ({name, ...}: { freeformType = settingsFormat.type; options = { + AuthorizedPrincipalsFile = mkOption { + type = types.str; + default = "none"; # upstream default + description = lib.mdDoc '' + Specifies a file that lists principal names that are accepted for certificate authentication. The default + is `"none"`, i.e. not to use a principals file. + ''; + }; LogLevel = mkOption { type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; default = "INFO"; # upstream default @@ -448,7 +477,7 @@ in services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; - environment.etc = authKeysFiles // + environment.etc = authKeysFiles // authPrincipalsFiles // { "ssh/moduli".source = cfg.moduliFile; "ssh/sshd_config".source = sshconf; }; @@ -545,6 +574,8 @@ in services.openssh.authorizedKeysFiles = [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; + services.openssh.extraConfig = mkOrder 0 '' UsePAM yes @@ -578,6 +609,21 @@ in '')} ''; + system.checks = [ + (pkgs.runCommand "check-sshd-config" + { + nativeBuildInputs = [ validationPackage ]; + } '' + ${concatMapStringsSep "\n" + (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null") + cfg.ports} + ${concatMapStringsSep "\n" + (la: "sshd -G -T -C ${escapeShellArg "laddr=${la.addr},lport=${toString la.port}"} -f ${sshconf} > /dev/null") + cfg.listenAddresses} + touch $out + '') + ]; + assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";} (let |