mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-12 20:55:31 +03:00
Merge pull request #314889 from DavHau/pr_sshd
nixos/openssh: allow removing settings
This commit is contained in:
commit
d6f07be682
1 changed files with 22 additions and 15 deletions
|
@ -349,7 +349,7 @@ in
|
||||||
freeformType = settingsFormat.type;
|
freeformType = settingsFormat.type;
|
||||||
options = {
|
options = {
|
||||||
AuthorizedPrincipalsFile = mkOption {
|
AuthorizedPrincipalsFile = mkOption {
|
||||||
type = types.str;
|
type = types.nullOr types.str;
|
||||||
default = "none"; # upstream default
|
default = "none"; # upstream default
|
||||||
description = ''
|
description = ''
|
||||||
Specifies a file that lists principal names that are accepted for certificate authentication. The default
|
Specifies a file that lists principal names that are accepted for certificate authentication. The default
|
||||||
|
@ -357,16 +357,18 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
LogLevel = mkOption {
|
LogLevel = mkOption {
|
||||||
type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];
|
type = types.nullOr (types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]);
|
||||||
default = "INFO"; # upstream default
|
default = "INFO"; # upstream default
|
||||||
description = ''
|
description = ''
|
||||||
Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level
|
Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level
|
||||||
violates the privacy of users and is not recommended.
|
violates the privacy of users and is not recommended.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
UsePAM = mkEnableOption "PAM authentication" // { default = true; };
|
UsePAM =
|
||||||
|
mkEnableOption "PAM authentication"
|
||||||
|
// { default = true; type = types.nullOr types.bool; };
|
||||||
UseDns = mkOption {
|
UseDns = mkOption {
|
||||||
type = types.bool;
|
type = types.nullOr types.bool;
|
||||||
# apply if cfg.useDns then "yes" else "no"
|
# apply if cfg.useDns then "yes" else "no"
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
|
@ -377,14 +379,14 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
X11Forwarding = mkOption {
|
X11Forwarding = mkOption {
|
||||||
type = types.bool;
|
type = types.nullOr types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
description = ''
|
description = ''
|
||||||
Whether to allow X11 connections to be forwarded.
|
Whether to allow X11 connections to be forwarded.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
PasswordAuthentication = mkOption {
|
PasswordAuthentication = mkOption {
|
||||||
type = types.bool;
|
type = types.nullOr types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Specifies whether password authentication is allowed.
|
Specifies whether password authentication is allowed.
|
||||||
|
@ -392,20 +394,20 @@ in
|
||||||
};
|
};
|
||||||
PermitRootLogin = mkOption {
|
PermitRootLogin = mkOption {
|
||||||
default = "prohibit-password";
|
default = "prohibit-password";
|
||||||
type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];
|
type = types.nullOr (types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]);
|
||||||
description = ''
|
description = ''
|
||||||
Whether the root user can login using ssh.
|
Whether the root user can login using ssh.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
KbdInteractiveAuthentication = mkOption {
|
KbdInteractiveAuthentication = mkOption {
|
||||||
type = types.bool;
|
type = types.nullOr types.bool;
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Specifies whether keyboard-interactive authentication is allowed.
|
Specifies whether keyboard-interactive authentication is allowed.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
GatewayPorts = mkOption {
|
GatewayPorts = mkOption {
|
||||||
type = types.str;
|
type = types.nullOr types.str;
|
||||||
default = "no";
|
default = "no";
|
||||||
description = ''
|
description = ''
|
||||||
Specifies whether remote hosts are allowed to connect to
|
Specifies whether remote hosts are allowed to connect to
|
||||||
|
@ -414,7 +416,7 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
KexAlgorithms = mkOption {
|
KexAlgorithms = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.nullOr (types.listOf types.str);
|
||||||
default = [
|
default = [
|
||||||
"sntrup761x25519-sha512@openssh.com"
|
"sntrup761x25519-sha512@openssh.com"
|
||||||
"curve25519-sha256"
|
"curve25519-sha256"
|
||||||
|
@ -431,7 +433,7 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
Macs = mkOption {
|
Macs = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.nullOr (types.listOf types.str);
|
||||||
default = [
|
default = [
|
||||||
"hmac-sha2-512-etm@openssh.com"
|
"hmac-sha2-512-etm@openssh.com"
|
||||||
"hmac-sha2-256-etm@openssh.com"
|
"hmac-sha2-256-etm@openssh.com"
|
||||||
|
@ -447,14 +449,14 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
StrictModes = mkOption {
|
StrictModes = mkOption {
|
||||||
type = types.bool;
|
type = types.nullOr (types.bool);
|
||||||
default = true;
|
default = true;
|
||||||
description = ''
|
description = ''
|
||||||
Whether sshd should check file modes and ownership of directories
|
Whether sshd should check file modes and ownership of directories
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
Ciphers = mkOption {
|
Ciphers = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.nullOr (types.listOf types.str);
|
||||||
default = [
|
default = [
|
||||||
"chacha20-poly1305@openssh.com"
|
"chacha20-poly1305@openssh.com"
|
||||||
"aes256-gcm@openssh.com"
|
"aes256-gcm@openssh.com"
|
||||||
|
@ -509,7 +511,9 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
# Disabled by default, since pam_motd handles this.
|
# Disabled by default, since pam_motd handles this.
|
||||||
PrintMotd = mkEnableOption "printing /etc/motd when a user logs in interactively";
|
PrintMotd =
|
||||||
|
mkEnableOption "printing /etc/motd when a user logs in interactively"
|
||||||
|
// { type = types.nullOr types.bool; };
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
};
|
};
|
||||||
|
@ -646,7 +650,10 @@ in
|
||||||
security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
|
security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
|
||||||
{ startSession = true;
|
{ startSession = true;
|
||||||
showMotd = true;
|
showMotd = true;
|
||||||
unixAuth = cfg.settings.PasswordAuthentication;
|
unixAuth =
|
||||||
|
if cfg.settings.PasswordAuthentication == true
|
||||||
|
then true
|
||||||
|
else false;
|
||||||
};
|
};
|
||||||
|
|
||||||
# These values are merged with the ones defined externally, see:
|
# These values are merged with the ones defined externally, see:
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue