Merge pull request #314889 from DavHau/pr_sshd

nixos/openssh: allow removing settings
This commit is contained in:
lassulus 2024-05-30 01:01:07 +02:00 committed by GitHub
commit d6f07be682
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -349,7 +349,7 @@ in
freeformType = settingsFormat.type; freeformType = settingsFormat.type;
options = { options = {
AuthorizedPrincipalsFile = mkOption { AuthorizedPrincipalsFile = mkOption {
type = types.str; type = types.nullOr types.str;
default = "none"; # upstream default default = "none"; # upstream default
description = '' description = ''
Specifies a file that lists principal names that are accepted for certificate authentication. The default Specifies a file that lists principal names that are accepted for certificate authentication. The default
@ -357,16 +357,18 @@ in
''; '';
}; };
LogLevel = mkOption { LogLevel = mkOption {
type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; type = types.nullOr (types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]);
default = "INFO"; # upstream default default = "INFO"; # upstream default
description = '' description = ''
Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level
violates the privacy of users and is not recommended. violates the privacy of users and is not recommended.
''; '';
}; };
UsePAM = mkEnableOption "PAM authentication" // { default = true; }; UsePAM =
mkEnableOption "PAM authentication"
// { default = true; type = types.nullOr types.bool; };
UseDns = mkOption { UseDns = mkOption {
type = types.bool; type = types.nullOr types.bool;
# apply if cfg.useDns then "yes" else "no" # apply if cfg.useDns then "yes" else "no"
default = false; default = false;
description = '' description = ''
@ -377,14 +379,14 @@ in
''; '';
}; };
X11Forwarding = mkOption { X11Forwarding = mkOption {
type = types.bool; type = types.nullOr types.bool;
default = false; default = false;
description = '' description = ''
Whether to allow X11 connections to be forwarded. Whether to allow X11 connections to be forwarded.
''; '';
}; };
PasswordAuthentication = mkOption { PasswordAuthentication = mkOption {
type = types.bool; type = types.nullOr types.bool;
default = true; default = true;
description = '' description = ''
Specifies whether password authentication is allowed. Specifies whether password authentication is allowed.
@ -392,20 +394,20 @@ in
}; };
PermitRootLogin = mkOption { PermitRootLogin = mkOption {
default = "prohibit-password"; default = "prohibit-password";
type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]; type = types.nullOr (types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]);
description = '' description = ''
Whether the root user can login using ssh. Whether the root user can login using ssh.
''; '';
}; };
KbdInteractiveAuthentication = mkOption { KbdInteractiveAuthentication = mkOption {
type = types.bool; type = types.nullOr types.bool;
default = true; default = true;
description = '' description = ''
Specifies whether keyboard-interactive authentication is allowed. Specifies whether keyboard-interactive authentication is allowed.
''; '';
}; };
GatewayPorts = mkOption { GatewayPorts = mkOption {
type = types.str; type = types.nullOr types.str;
default = "no"; default = "no";
description = '' description = ''
Specifies whether remote hosts are allowed to connect to Specifies whether remote hosts are allowed to connect to
@ -414,7 +416,7 @@ in
''; '';
}; };
KexAlgorithms = mkOption { KexAlgorithms = mkOption {
type = types.listOf types.str; type = types.nullOr (types.listOf types.str);
default = [ default = [
"sntrup761x25519-sha512@openssh.com" "sntrup761x25519-sha512@openssh.com"
"curve25519-sha256" "curve25519-sha256"
@ -431,7 +433,7 @@ in
''; '';
}; };
Macs = mkOption { Macs = mkOption {
type = types.listOf types.str; type = types.nullOr (types.listOf types.str);
default = [ default = [
"hmac-sha2-512-etm@openssh.com" "hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com" "hmac-sha2-256-etm@openssh.com"
@ -447,14 +449,14 @@ in
''; '';
}; };
StrictModes = mkOption { StrictModes = mkOption {
type = types.bool; type = types.nullOr (types.bool);
default = true; default = true;
description = '' description = ''
Whether sshd should check file modes and ownership of directories Whether sshd should check file modes and ownership of directories
''; '';
}; };
Ciphers = mkOption { Ciphers = mkOption {
type = types.listOf types.str; type = types.nullOr (types.listOf types.str);
default = [ default = [
"chacha20-poly1305@openssh.com" "chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com" "aes256-gcm@openssh.com"
@ -509,7 +511,9 @@ in
''; '';
}; };
# Disabled by default, since pam_motd handles this. # Disabled by default, since pam_motd handles this.
PrintMotd = mkEnableOption "printing /etc/motd when a user logs in interactively"; PrintMotd =
mkEnableOption "printing /etc/motd when a user logs in interactively"
// { type = types.nullOr types.bool; };
}; };
}); });
}; };
@ -646,7 +650,10 @@ in
security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
{ startSession = true; { startSession = true;
showMotd = true; showMotd = true;
unixAuth = cfg.settings.PasswordAuthentication; unixAuth =
if cfg.settings.PasswordAuthentication == true
then true
else false;
}; };
# These values are merged with the ones defined externally, see: # These values are merged with the ones defined externally, see: