movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 13:40:28 +03:00
Code Activity

services.openssh: rename several settings (#211991)

Browse source 
* services.openssh: rename several settings

... to match the sshd config format (makes transition smoother), namely:
services.openssh.forwardX11 -> services.openssh.settings.X11Forwarding
services.openssh.cyphers -> services.openssh.settings.Cyphers
services.openssh.macs -> services.openssh.settings.Macs
services.openssh.kexAlgorithms -> services.openssh.settings.KexAlgorithms
services.openssh.gatewayPorts -> services.openssh.settings.GatewayPorts

* release-notes: mention openssh renaming

* chore: regenerated release-notes
This commit is contained in:
Matthieu Coudron 2023-02-07 00:11:18 +01:00 committed by GitHub
parent e74dc4bf64
commit ef5da70d66
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 157 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

168
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -13,11 +13,12 @@ let
else pkgs.buildPackages.openssh;
# reports boolean as yes / no
mkValueStringSshd = v:
mkValueStringSshd = with lib; v:
if isInt v then toString v
else if isString v then v
else if true == v then "yes"
else if false == v then "no"
else if isList v then concatStringsSep "," v
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
# dont use the "=" operator
@ -104,6 +105,11 @@ in
(mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ])
(mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ])
(mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ])
(mkRenamedOptionModule [ "services" "openssh" "macs" ] [ "services" "openssh" "settings" "Macs" ])
(mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [ "services" "openssh" "settings" "Cyphers" ])
(mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [ "services" "openssh" "settings" "KexAlgorithms" ])
(mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [ "services" "openssh" "settings" "GatewayPorts" ])
(mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [ "services" "openssh" "settings" "X11Forwarding" ])
];
###### interface
@ -131,14 +137,6 @@ in
'';
};
forwardX11 = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to allow X11 connections to be forwarded.
'';
};
allowSFTP = mkOption {
type = types.bool;
default = true;
@ -167,16 +165,6 @@ in
'';
};
gatewayPorts = mkOption {
type = types.str;
default = "no";
description = lib.mdDoc ''
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. See
{manpage}`sshd_config(5)`.
'';
};
ports = mkOption {
type = types.listOf types.port;
default = [22];
@ -286,63 +274,6 @@ in
'';
};
kexAlgorithms = mkOption {
type = types.listOf types.str;
default = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
description = lib.mdDoc ''
Allowed key exchange algorithms
Uses the lower bound recommended in both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
ciphers = mkOption {
type = types.listOf types.str;
default = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
description = lib.mdDoc ''
Allowed ciphers
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
macs = mkOption {
type = types.listOf types.str;
default = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
description = lib.mdDoc ''
Allowed MACs
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
settings = mkOption {
@ -374,7 +305,13 @@ in
~/.ssh/authorized_keys from and sshd_config Match Host directives.
'';
};
X11Forwarding = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to allow X11 connections to be forwarded.
'';
};
PasswordAuthentication = mkOption {
type = types.bool;
default = true;
@ -396,6 +333,70 @@ in
Specifies whether keyboard-interactive authentication is allowed.
'';
};
GatewayPorts = mkOption {
type = types.str;
default = "no";
description = lib.mdDoc ''
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. See
{manpage}`sshd_config(5)`.
'';
};
KexAlgorithms = mkOption {
type = types.listOf types.str;
default = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
description = lib.mdDoc ''
Allowed key exchange algorithms
Uses the lower bound recommended in both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
Macs = mkOption {
type = types.listOf types.str;
default = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
description = lib.mdDoc ''
Allowed MACs
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
Ciphers = mkOption {
type = types.listOf types.str;
default = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
description = lib.mdDoc ''
Allowed ciphers
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
};
});
};
@ -555,17 +556,10 @@ in
${optionalString cfgc.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''}
X11Forwarding ${if cfg.forwardX11 then "yes" else "no"}
${optionalString cfg.allowSFTP ''
Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
''}
GatewayPorts ${cfg.gatewayPorts}
PrintMotd no # handled by pam_motd
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
${optionalString (cfg.authorizedKeysCommand != "none") ''
AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
@ -575,13 +569,9 @@ in
${flip concatMapStrings cfg.hostKeys (k: ''
HostKey ${k.path}
'')}
KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}
Ciphers ${concatStringsSep "," cfg.ciphers}
MACs ${concatStringsSep "," cfg.macs}
'';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
message = "cannot enable X11 forwarding without setting xauth location";}]
++ forEach cfg.listenAddresses ({ addr, ... }: {
assertion = addr != null;