movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

services.openssh: rename several settings (#211991)

Browse source 
* services.openssh: rename several settings

... to match the sshd config format (makes transition smoother), namely:
services.openssh.forwardX11 -> services.openssh.settings.X11Forwarding
services.openssh.cyphers -> services.openssh.settings.Cyphers
services.openssh.macs -> services.openssh.settings.Macs
services.openssh.kexAlgorithms -> services.openssh.settings.KexAlgorithms
services.openssh.gatewayPorts -> services.openssh.settings.GatewayPorts

* release-notes: mention openssh renaming

* chore: regenerated release-notes
This commit is contained in:
Matthieu Coudron 2023-02-07 00:11:18 +01:00 committed by GitHub
parent e74dc4bf64
commit ef5da70d66
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 157 additions and 104 deletions
Download patch file Download diff file Expand all files Collapse all files

77
nixos/doc/manual/from_md/release-notes/rl-2305.section.xml
View file

@ -522,19 +522,72 @@
<para> <para>
A few openssh options have been moved from extraConfig to the A few openssh options have been moved from extraConfig to the
new freeform option <literal>settings</literal> and renamed as new freeform option <literal>settings</literal> and renamed as
follow: follows:
<literal>services.openssh.kbdInteractiveAuthentication</literal>
to
<literal>services.openssh.settings.KbdInteractiveAuthentication</literal>,
<literal>services.openssh.passwordAuthentication</literal> to
<literal>services.openssh.settings.PasswordAuthentication</literal>,
<literal>services.openssh.useDns</literal> to
<literal>services.openssh.settings.UseDns</literal>,
<literal>services.openssh.permitRootLogin</literal> to
<literal>services.openssh.settings.PermitRootLogin</literal>,
<literal>services.openssh.logLevel</literal> to
<literal>services.openssh.settings.LogLevel</literal>.
</para> </para>
<itemizedlist spacing="compact">
<listitem>
<para>
<literal>services.openssh.forwardX11</literal> to
<literal>services.openssh.settings.X11Forwarding</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.kbdInteractiveAuthentication</literal>
-&gt;
<literal>services.openssh.settings.KbdInteractiveAuthentication</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.passwordAuthentication</literal>
to
<literal>services.openssh.settings.PasswordAuthentication</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.useDns</literal> to
<literal>services.openssh.settings.UseDns</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.permitRootLogin</literal> to
<literal>services.openssh.settings.PermitRootLogin</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.logLevel</literal> to
<literal>services.openssh.settings.LogLevel</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.kexAlgorithms</literal> to
<literal>services.openssh.settings.KexAlgorithms</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.macs</literal> to
<literal>services.openssh.settings.Macs</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.cyphers</literal> to
<literal>services.openssh.settings.Cyphers</literal>
</para>
</listitem>
<listitem>
<para>
<literal>services.openssh.gatewayPorts</literal> to
<literal>services.openssh.settings.GatewayPorts</literal>
</para>
</listitem>
</itemizedlist>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>

12
nixos/doc/manual/release-notes/rl-2305.section.md
View file

@ -128,7 +128,17 @@ In addition to numerous new and upgraded packages, this release has the followin
- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package) - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)
- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`. - A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows:
- `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`
- `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`
- `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`
- `services.openssh.useDns` to `services.openssh.settings.UseDns`
- `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`
- `services.openssh.logLevel` to `services.openssh.settings.LogLevel`
- `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms`
- `services.openssh.macs` to `services.openssh.settings.Macs`
- `services.openssh.cyphers` to `services.openssh.settings.Cyphers`
- `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`
- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

2
nixos/modules/programs/ssh.nix
View file

@ -282,7 +282,7 @@ in
config = { config = {
programs.ssh.setXAuthLocation = programs.ssh.setXAuthLocation =
mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11); mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding);
assertions = assertions =
[ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation; [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;

2
nixos/modules/services/computing/slurm/slurm.nix
View file

@ -383,7 +383,7 @@ in
"d /var/spool/slurmd 755 root root -" "d /var/spool/slurmd 755 root root -"
]; ];
services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true); services.openssh.settings.X11Forwarding = mkIf cfg.client.enable (mkDefault true);
systemd.services.slurmctld = mkIf (cfg.server.enable) { systemd.services.slurmctld = mkIf (cfg.server.enable) {
path = with pkgs; [ wrappedSlurm munge coreutils ] path = with pkgs; [ wrappedSlurm munge coreutils ]

168
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -13,11 +13,12 @@ let
else pkgs.buildPackages.openssh; else pkgs.buildPackages.openssh;
# reports boolean as yes / no # reports boolean as yes / no
mkValueStringSshd = v: mkValueStringSshd = with lib; v:
if isInt v then toString v if isInt v then toString v
else if isString v then v else if isString v then v
else if true == v then "yes" else if true == v then "yes"
else if false == v then "no" else if false == v then "no"
else if isList v then concatStringsSep "," v
else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";
# dont use the "=" operator # dont use the "=" operator
@ -104,6 +105,11 @@ in
(mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ]) (mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ])
(mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ]) (mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ])
(mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ]) (mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ])
(mkRenamedOptionModule [ "services" "openssh" "macs" ] [ "services" "openssh" "settings" "Macs" ])
(mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [ "services" "openssh" "settings" "Cyphers" ])
(mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [ "services" "openssh" "settings" "KexAlgorithms" ])
(mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [ "services" "openssh" "settings" "GatewayPorts" ])
(mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [ "services" "openssh" "settings" "X11Forwarding" ])
]; ];
###### interface ###### interface
@ -131,14 +137,6 @@ in
''; '';
}; };
forwardX11 = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to allow X11 connections to be forwarded.
'';
};
allowSFTP = mkOption { allowSFTP = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
@ -167,16 +165,6 @@ in
''; '';
}; };
gatewayPorts = mkOption {
type = types.str;
default = "no";
description = lib.mdDoc ''
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. See
{manpage}`sshd_config(5)`.
'';
};
ports = mkOption { ports = mkOption {
type = types.listOf types.port; type = types.listOf types.port;
default = [22]; default = [22];
@ -286,63 +274,6 @@ in
''; '';
}; };
kexAlgorithms = mkOption {
type = types.listOf types.str;
default = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
description = lib.mdDoc ''
Allowed key exchange algorithms
Uses the lower bound recommended in both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
ciphers = mkOption {
type = types.listOf types.str;
default = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
description = lib.mdDoc ''
Allowed ciphers
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
macs = mkOption {
type = types.listOf types.str;
default = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
description = lib.mdDoc ''
Allowed MACs
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
settings = mkOption { settings = mkOption {
@ -374,7 +305,13 @@ in
~/.ssh/authorized_keys from and sshd_config Match Host directives. ~/.ssh/authorized_keys from and sshd_config Match Host directives.
''; '';
}; };
X11Forwarding = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc ''
Whether to allow X11 connections to be forwarded.
'';
};
PasswordAuthentication = mkOption { PasswordAuthentication = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
@ -396,6 +333,70 @@ in
Specifies whether keyboard-interactive authentication is allowed. Specifies whether keyboard-interactive authentication is allowed.
''; '';
}; };
GatewayPorts = mkOption {
type = types.str;
default = "no";
description = lib.mdDoc ''
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. See
{manpage}`sshd_config(5)`.
'';
};
KexAlgorithms = mkOption {
type = types.listOf types.str;
default = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group-exchange-sha256"
];
description = lib.mdDoc ''
Allowed key exchange algorithms
Uses the lower bound recommended in both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
Macs = mkOption {
type = types.listOf types.str;
default = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
"hmac-sha2-512"
"hmac-sha2-256"
"umac-128@openssh.com"
];
description = lib.mdDoc ''
Allowed MACs
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
Ciphers = mkOption {
type = types.listOf types.str;
default = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes128-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-ctr"
];
description = lib.mdDoc ''
Allowed ciphers
Defaults to recommended settings from both
<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
and
<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
'';
};
}; };
}); });
}; };
@ -555,17 +556,10 @@ in
${optionalString cfgc.setXAuthLocation '' ${optionalString cfgc.setXAuthLocation ''
XAuthLocation ${pkgs.xorg.xauth}/bin/xauth XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
''} ''}
X11Forwarding ${if cfg.forwardX11 then "yes" else "no"}
${optionalString cfg.allowSFTP '' ${optionalString cfg.allowSFTP ''
Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags} Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
''} ''}
GatewayPorts ${cfg.gatewayPorts}
PrintMotd no # handled by pam_motd PrintMotd no # handled by pam_motd
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
${optionalString (cfg.authorizedKeysCommand != "none") '' ${optionalString (cfg.authorizedKeysCommand != "none") ''
AuthorizedKeysCommand ${cfg.authorizedKeysCommand} AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
@ -575,13 +569,9 @@ in
${flip concatMapStrings cfg.hostKeys (k: '' ${flip concatMapStrings cfg.hostKeys (k: ''
HostKey ${k.path} HostKey ${k.path}
'')} '')}
KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}
Ciphers ${concatStringsSep "," cfg.ciphers}
MACs ${concatStringsSep "," cfg.macs}
''; '';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
message = "cannot enable X11 forwarding without setting xauth location";}] message = "cannot enable X11 forwarding without setting xauth location";}]
++ forEach cfg.listenAddresses ({ addr, ... }: { ++ forEach cfg.listenAddresses ({ addr, ... }: {
assertion = addr != null; assertion = addr != null;