services.openssh: rename several settings (#211991) (ef5da70d) · Commits · nix / nixpkgs

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

+65 −12

Original line number	Diff line number	Diff line
		@@ -522,20 +522,73 @@
		<para>
		A few openssh options have been moved from extraConfig to the
		new freeform option <literal>settings</literal> and renamed as
		follow:
		follows:
		</para>
		<itemizedlist spacing="compact">
		<listitem>
		<para>
		<literal>services.openssh.forwardX11</literal> to
		<literal>services.openssh.settings.X11Forwarding</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.kbdInteractiveAuthentication</literal>
		->
		<literal>services.openssh.settings.KbdInteractiveAuthentication</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.passwordAuthentication</literal>
		to
		<literal>services.openssh.settings.KbdInteractiveAuthentication</literal>,
		<literal>services.openssh.passwordAuthentication</literal> to
		<literal>services.openssh.settings.PasswordAuthentication</literal>,
		<literal>services.openssh.settings.PasswordAuthentication</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.useDns</literal> to
		<literal>services.openssh.settings.UseDns</literal>,
		<literal>services.openssh.settings.UseDns</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.permitRootLogin</literal> to
		<literal>services.openssh.settings.PermitRootLogin</literal>,
		<literal>services.openssh.settings.PermitRootLogin</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.logLevel</literal> to
		<literal>services.openssh.settings.LogLevel</literal>.
		<literal>services.openssh.settings.LogLevel</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.kexAlgorithms</literal> to
		<literal>services.openssh.settings.KexAlgorithms</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.macs</literal> to
		<literal>services.openssh.settings.Macs</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.cyphers</literal> to
		<literal>services.openssh.settings.Cyphers</literal>
		</para>
		</listitem>
		<listitem>
		<para>
		<literal>services.openssh.gatewayPorts</literal> to
		<literal>services.openssh.settings.GatewayPorts</literal>
		</para>
		</listitem>
		</itemizedlist>
		</listitem>
		<listitem>
		<para>
		<literal>services.mastodon</literal> gained a tootctl wrapped

nixos/doc/manual/release-notes/rl-2305.section.md

+11 −1

Original line number	Diff line number	Diff line
		@@ -128,7 +128,17 @@ In addition to numerous new and upgraded packages, this release has the followin

		- The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)

		- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`.
		- A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows:
		- `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding`
		- `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication`
		- `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`
		- `services.openssh.useDns` to `services.openssh.settings.UseDns`
		- `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`
		- `services.openssh.logLevel` to `services.openssh.settings.LogLevel`
		- `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms`
		- `services.openssh.macs` to `services.openssh.settings.Macs`
		- `services.openssh.cyphers` to `services.openssh.settings.Cyphers`
		- `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts`

		- `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

nixos/modules/programs/ssh.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -282,7 +282,7 @@ in
		config = {

		programs.ssh.setXAuthLocation =
		mkDefault (config.services.xserver.enable \|\| config.programs.ssh.forwardX11 \|\| config.services.openssh.forwardX11);
		mkDefault (config.services.xserver.enable \|\| config.programs.ssh.forwardX11 \|\| config.services.openssh.settings.X11Forwarding);

		assertions =
		[ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;

nixos/modules/services/computing/slurm/slurm.nix

+1 −1

Original line number	Diff line number	Diff line
		@@ -383,7 +383,7 @@ in
		"d /var/spool/slurmd 755 root root -"
		];

		services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true);
		services.openssh.settings.X11Forwarding = mkIf cfg.client.enable (mkDefault true);

		systemd.services.slurmctld = mkIf (cfg.server.enable) {
		path = with pkgs; [ wrappedSlurm munge coreutils ]

nixos/modules/services/networking/ssh/sshd.nix

+79 −89

Original line number	Diff line number	Diff line
		@@ -13,11 +13,12 @@ let
		else pkgs.buildPackages.openssh;

		# reports boolean as yes / no
		mkValueStringSshd = v:
		mkValueStringSshd = with lib; v:
		if isInt v then toString v
		else if isString v then v
		else if true == v then "yes"
		else if false == v then "no"
		else if isList v then concatStringsSep "," v
		else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";

		# dont use the "=" operator
		@@ -104,6 +105,11 @@ in
		(mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ])
		(mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ])
		(mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ])
		(mkRenamedOptionModule [ "services" "openssh" "macs" ] [ "services" "openssh" "settings" "Macs" ])
		(mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [ "services" "openssh" "settings" "Cyphers" ])
		(mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [ "services" "openssh" "settings" "KexAlgorithms" ])
		(mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [ "services" "openssh" "settings" "GatewayPorts" ])
		(mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [ "services" "openssh" "settings" "X11Forwarding" ])
		];

		###### interface
		@@ -131,14 +137,6 @@ in
		'';
		};

		forwardX11 = mkOption {
		type = types.bool;
		default = false;
		description = lib.mdDoc ''
		Whether to allow X11 connections to be forwarded.
		'';
		};

		allowSFTP = mkOption {
		type = types.bool;
		default = true;
		@@ -167,16 +165,6 @@ in
		'';
		};

		gatewayPorts = mkOption {
		type = types.str;
		default = "no";
		description = lib.mdDoc ''
		Specifies whether remote hosts are allowed to connect to
		ports forwarded for the client. See
		{manpage}`sshd_config(5)`.
		'';
		};

		ports = mkOption {
		type = types.listOf types.port;
		default = [22];
		@@ -286,63 +274,6 @@ in
		'';
		};

		kexAlgorithms = mkOption {
		type = types.listOf types.str;
		default = [
		"sntrup761x25519-sha512@openssh.com"
		"curve25519-sha256"
		"curve25519-sha256@libssh.org"
		"diffie-hellman-group-exchange-sha256"
		];
		description = lib.mdDoc ''
		Allowed key exchange algorithms

		Uses the lower bound recommended in both
		<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
		and
		<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
		'';
		};

		ciphers = mkOption {
		type = types.listOf types.str;
		default = [
		"chacha20-poly1305@openssh.com"
		"aes256-gcm@openssh.com"
		"aes128-gcm@openssh.com"
		"aes256-ctr"
		"aes192-ctr"
		"aes128-ctr"
		];
		description = lib.mdDoc ''
		Allowed ciphers

		Defaults to recommended settings from both
		<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
		and
		<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
		'';
		};

		macs = mkOption {
		type = types.listOf types.str;
		default = [
		"hmac-sha2-512-etm@openssh.com"
		"hmac-sha2-256-etm@openssh.com"
		"umac-128-etm@openssh.com"
		"hmac-sha2-512"
		"hmac-sha2-256"
		"umac-128@openssh.com"
		];
		description = lib.mdDoc ''
		Allowed MACs

		Defaults to recommended settings from both
		<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
		and
		<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
		'';
		};


		settings = mkOption {
		@@ -374,7 +305,13 @@ in
		~/.ssh/authorized_keys from and sshd_config Match Host directives.
		'';
		};

		X11Forwarding = mkOption {
		type = types.bool;
		default = false;
		description = lib.mdDoc ''
		Whether to allow X11 connections to be forwarded.
		'';
		};
		PasswordAuthentication = mkOption {
		type = types.bool;
		default = true;
		@@ -396,6 +333,70 @@ in
		Specifies whether keyboard-interactive authentication is allowed.
		'';
		};
		GatewayPorts = mkOption {
		type = types.str;
		default = "no";
		description = lib.mdDoc ''
		Specifies whether remote hosts are allowed to connect to
		ports forwarded for the client. See
		{manpage}`sshd_config(5)`.
		'';
		};
		KexAlgorithms = mkOption {
		type = types.listOf types.str;
		default = [
		"sntrup761x25519-sha512@openssh.com"
		"curve25519-sha256"
		"curve25519-sha256@libssh.org"
		"diffie-hellman-group-exchange-sha256"
		];
		description = lib.mdDoc ''
		Allowed key exchange algorithms

		Uses the lower bound recommended in both
		<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
		and
		<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
		'';
		};
		Macs = mkOption {
		type = types.listOf types.str;
		default = [
		"hmac-sha2-512-etm@openssh.com"
		"hmac-sha2-256-etm@openssh.com"
		"umac-128-etm@openssh.com"
		"hmac-sha2-512"
		"hmac-sha2-256"
		"umac-128@openssh.com"
		];
		description = lib.mdDoc ''
		Allowed MACs

		Defaults to recommended settings from both
		<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
		and
		<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
		'';
		};
		Ciphers = mkOption {
		type = types.listOf types.str;
		default = [
		"chacha20-poly1305@openssh.com"
		"aes256-gcm@openssh.com"
		"aes128-gcm@openssh.com"
		"aes256-ctr"
		"aes192-ctr"
		"aes128-ctr"
		];
		description = lib.mdDoc ''
		Allowed ciphers

		Defaults to recommended settings from both
		<https://stribika.github.io/2015/01/04/secure-secure-shell.html>
		and
		<https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67>
		'';
		};
		};
		});
		};
		@@ -555,17 +556,10 @@ in
		${optionalString cfgc.setXAuthLocation ''
		XAuthLocation ${pkgs.xorg.xauth}/bin/xauth
		''}

		X11Forwarding ${if cfg.forwardX11 then "yes" else "no"}

		${optionalString cfg.allowSFTP ''
		Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
		''}

		GatewayPorts ${cfg.gatewayPorts}

		PrintMotd no # handled by pam_motd

		AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
		${optionalString (cfg.authorizedKeysCommand != "none") ''
		AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
		@@ -575,13 +569,9 @@ in
		${flip concatMapStrings cfg.hostKeys (k: ''
		HostKey ${k.path}
		'')}

		KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}
		Ciphers ${concatStringsSep "," cfg.ciphers}
		MACs ${concatStringsSep "," cfg.macs}
		'';

		assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
		assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
		message = "cannot enable X11 forwarding without setting xauth location";}]
		++ forEach cfg.listenAddresses ({ addr, ... }: {
		assertion = addr != null;

Admin message