+8 -1

nixos/modules/config/gnu.nix

··· 9 9 default = false; 10 10 description = 11 11 '' When enabled, GNU software is chosen by default whenever a there is 12 12 - a choice between GNU and non-GNU software. 12 12 + a choice between GNU and non-GNU software (e.g., GNU lsh 13 13 + vs. OpenSSH). 13 14 ''; 14 15 }; 15 16 }; ··· 31 32 # GNU GRUB, where available. 32 33 boot.loader.grub.enable = !pkgs.stdenv.isArm; 33 34 boot.loader.grub.version = 2; 35 35 + 36 36 + # GNU lsh. 37 37 + services.openssh.enable = false; 38 38 + services.lshd.enable = true; 39 39 + programs.ssh.startAgent = false; 40 40 + services.xserver.startGnuPGAgent = true; 34 41 35 42 # TODO: GNU dico. 36 43 # TODO: GNU Inetutils' inetd.

+176

nixos/modules/services/networking/ssh/lshd.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + 7 7 + inherit (pkgs) lsh; 8 8 + 9 9 + cfg = config.services.lshd; 10 10 + 11 11 + in 12 12 + 13 13 + { 14 14 + 15 15 + ###### interface 16 16 + 17 17 + options = { 18 18 + 19 19 + services.lshd = { 20 20 + 21 21 + enable = mkOption { 22 22 + default = false; 23 23 + description = '' 24 24 + Whether to enable the GNU lshd SSH2 daemon, which allows 25 25 + secure remote login. 26 26 + ''; 27 27 + }; 28 28 + 29 29 + portNumber = mkOption { 30 30 + default = 22; 31 31 + description = '' 32 32 + The port on which to listen for connections. 33 33 + ''; 34 34 + }; 35 35 + 36 36 + interfaces = mkOption { 37 37 + default = []; 38 38 + description = '' 39 39 + List of network interfaces where listening for connections. 40 40 + When providing the empty list, `[]', lshd listens on all 41 41 + network interfaces. 42 42 + ''; 43 43 + example = [ "localhost" "1.2.3.4:443" ]; 44 44 + }; 45 45 + 46 46 + hostKey = mkOption { 47 47 + default = "/etc/lsh/host-key"; 48 48 + description = '' 49 49 + Path to the server's private key. Note that this key must 50 50 + have been created, e.g., using "lsh-keygen --server | 51 51 + lsh-writekey --server", so that you can run lshd. 52 52 + ''; 53 53 + }; 54 54 + 55 55 + syslog = mkOption { 56 56 + default = true; 57 57 + description = ''Whether to enable syslog output.''; 58 58 + }; 59 59 + 60 60 + passwordAuthentication = mkOption { 61 61 + default = true; 62 62 + description = ''Whether to enable password authentication.''; 63 63 + }; 64 64 + 65 65 + publicKeyAuthentication = mkOption { 66 66 + default = true; 67 67 + description = ''Whether to enable public key authentication.''; 68 68 + }; 69 69 + 70 70 + rootLogin = mkOption { 71 71 + default = false; 72 72 + description = ''Whether to enable remote root login.''; 73 73 + }; 74 74 + 75 75 + loginShell = mkOption { 76 76 + default = null; 77 77 + description = '' 78 78 + If non-null, override the default login shell with the 79 79 + specified value. 80 80 + ''; 81 81 + example = "/nix/store/xyz-bash-10.0/bin/bash10"; 82 82 + }; 83 83 + 84 84 + srpKeyExchange = mkOption { 85 85 + default = false; 86 86 + description = '' 87 87 + Whether to enable SRP key exchange and user authentication. 88 88 + ''; 89 89 + }; 90 90 + 91 91 + tcpForwarding = mkOption { 92 92 + default = true; 93 93 + description = ''Whether to enable TCP/IP forwarding.''; 94 94 + }; 95 95 + 96 96 + x11Forwarding = mkOption { 97 97 + default = true; 98 98 + description = ''Whether to enable X11 forwarding.''; 99 99 + }; 100 100 + 101 101 + subsystems = mkOption { 102 102 + description = '' 103 103 + List of subsystem-path pairs, where the head of the pair 104 104 + denotes the subsystem name, and the tail denotes the path to 105 105 + an executable implementing it. 106 106 + ''; 107 107 + }; 108 108 + 109 109 + }; 110 110 + 111 111 + }; 112 112 + 113 113 + 114 114 + ###### implementation 115 115 + 116 116 + config = mkIf cfg.enable { 117 117 + 118 118 + services.lshd.subsystems = [ ["sftp" "${pkgs.lsh}/sbin/sftp-server"] ]; 119 119 + 120 120 + systemd.services.lshd = { 121 121 + description = "GNU lshd SSH2 daemon"; 122 122 + 123 123 + after = [ "network-interfaces.target" ]; 124 124 + 125 125 + wantedBy = [ "multi-user.target" ]; 126 126 + 127 127 + environment = { 128 128 + LD_LIBRARY_PATH = config.system.nssModules.path; 129 129 + }; 130 130 + 131 131 + preStart = '' 132 132 + test -d /etc/lsh || mkdir -m 0755 -p /etc/lsh 133 133 + test -d /var/spool/lsh || mkdir -m 0755 -p /var/spool/lsh 134 134 + 135 135 + if ! test -f /var/spool/lsh/yarrow-seed-file 136 136 + then 137 137 + # XXX: It would be nice to provide feedback to the 138 138 + # user when this fails, so that they can retry it 139 139 + # manually. 140 140 + ${lsh}/bin/lsh-make-seed --sloppy \ 141 141 + -o /var/spool/lsh/yarrow-seed-file 142 142 + fi 143 143 + 144 144 + if ! test -f "${cfg.hostKey}" 145 145 + then 146 146 + ${lsh}/bin/lsh-keygen --server | \ 147 147 + ${lsh}/bin/lsh-writekey --server -o "${cfg.hostKey}" 148 148 + fi 149 149 + ''; 150 150 + 151 151 + script = with cfg; '' 152 152 + ${lsh}/sbin/lshd --daemonic \ 153 153 + --password-helper="${lsh}/sbin/lsh-pam-checkpw" \ 154 154 + -p ${toString portNumber} \ 155 155 + ${if interfaces == [] then "" 156 156 + else (concatStrings (map (i: "--interface=\"${i}\"") 157 157 + interfaces))} \ 158 158 + -h "${hostKey}" \ 159 159 + ${if !syslog then "--no-syslog" else ""} \ 160 160 + ${if passwordAuthentication then "--password" else "--no-password" } \ 161 161 + ${if publicKeyAuthentication then "--publickey" else "--no-publickey" } \ 162 162 + ${if rootLogin then "--root-login" else "--no-root-login" } \ 163 163 + ${if loginShell != null then "--login-shell=\"${loginShell}\"" else "" } \ 164 164 + ${if srpKeyExchange then "--srp-keyexchange" else "--no-srp-keyexchange" } \ 165 165 + ${if !tcpForwarding then "--no-tcpip-forward" else "--tcpip-forward"} \ 166 166 + ${if x11Forwarding then "--x11-forward" else "--no-x11-forward" } \ 167 167 + --subsystems=${concatStringsSep "," 168 168 + (map (pair: (head pair) + "=" + 169 169 + (head (tail pair))) 170 170 + subsystems)} 171 171 + ''; 172 172 + }; 173 173 + 174 174 + security.pam.services.lshd = {}; 175 175 + }; 176 176 + }

+49

pkgs/tools/networking/lsh/default.nix

··· 1 1 + { stdenv, fetchurl, gperf, guile, gmp, zlib, liboop, readline, gnum4, pam 2 2 + , nettools, lsof, procps }: 3 3 + 4 4 + stdenv.mkDerivation rec { 5 5 + name = "lsh-2.0.4"; 6 6 + src = fetchurl { 7 7 + url = "mirror://gnu/lsh/${name}.tar.gz"; 8 8 + sha256 = "614b9d63e13ad3e162c82b6405d1f67713fc622a8bc11337e72949d613713091"; 9 9 + }; 10 10 + 11 11 + patches = [ ./pam-service-name.patch ./lshd-no-root-login.patch ]; 12 12 + 13 13 + preConfigure = '' 14 14 + # Patch `lsh-make-seed' so that it can gather enough entropy. 15 15 + sed -i "src/lsh-make-seed.c" \ 16 16 + -e "s|/usr/sbin/arp|${nettools}/sbin/arp|g ; 17 17 + s|/usr/bin/netstat|${nettools}/bin/netstat|g ; 18 18 + s|/usr/local/bin/lsof|${lsof}/bin/lsof|g ; 19 19 + s|/bin/vmstat|${procps}/bin/vmstat|g ; 20 20 + s|/bin/ps|${procps}/bin/sp|g ; 21 21 + s|/usr/bin/w|${procps}/bin/w|g ; 22 22 + s|/usr/bin/df|$(type -P df)|g ; 23 23 + s|/usr/bin/ipcs|$(type -P ipcs)|g ; 24 24 + s|/usr/bin/uptime|$(type -P uptime)|g" 25 25 + 26 26 + # Skip the `configure' script that checks whether /dev/ptmx & co. work as 27 27 + # expected, because it relies on impurities (for instance, /dev/pts may 28 28 + # be unavailable in chroots.) 29 29 + export lsh_cv_sys_unix98_ptys=yes 30 30 + ''; 31 31 + 32 32 + buildInputs = [ gperf guile gmp zlib liboop readline gnum4 pam ]; 33 33 + 34 34 + meta = { 35 35 + description = "GPL'd implementation of the SSH protocol"; 36 36 + 37 37 + longDescription = '' 38 38 + lsh is a free implementation (in the GNU sense) of the ssh 39 39 + version 2 protocol, currently being standardised by the IETF 40 40 + SECSH working group. 41 41 + ''; 42 42 + 43 43 + homepage = http://www.lysator.liu.se/~nisse/lsh/; 44 44 + license = stdenv.lib.licenses.gpl2Plus; 45 45 + 46 46 + maintainers = [ ]; 47 47 + platforms = [ "x86_64-linux" ]; 48 48 + }; 49 49 + }

+16

pkgs/tools/networking/lsh/lshd-no-root-login.patch

··· 1 1 + Correctly handle the `--no-root-login' option. 2 2 + 3 3 + --- lsh-2.0.4/src/lshd.c 2006-05-01 13:47:44.000000000 +0200 4 4 + +++ lsh-2.0.4/src/lshd.c 2009-09-08 12:20:36.000000000 +0200 5 5 + @@ -758,6 +758,10 @@ main_argp_parser(int key, char *arg, str 6 6 + self->allow_root = 1; 7 7 + break; 8 8 + 9 9 + + case OPT_NO_ROOT_LOGIN: 10 10 + + self->allow_root = 0; 11 11 + + break; 12 12 + + 13 13 + case OPT_KERBEROS_PASSWD: 14 14 + self->pw_helper = PATH_KERBEROS_HELPER; 15 15 + break; 16 16 +

+14

pkgs/tools/networking/lsh/pam-service-name.patch

··· 1 1 + Tell `lsh-pam-checkpw', the PAM password helper program, to use a more 2 2 + descriptive service name. 3 3 + 4 4 + --- lsh-2.0.4/src/lsh-pam-checkpw.c 2003-02-16 22:30:10.000000000 +0100 5 5 + +++ lsh-2.0.4/src/lsh-pam-checkpw.c 2008-11-28 16:16:58.000000000 +0100 6 6 + @@ -38,7 +38,7 @@ 7 7 + #include <security/pam_appl.h> 8 8 + 9 9 + #define PWD_MAXLEN 1024 10 10 + -#define SERVICE_NAME "other" 11 11 + +#define SERVICE_NAME "lshd" 12 12 + #define TIMEOUT 600 13 13 + 14 14 + static int

+4

pkgs/top-level/all-packages.nix

··· 2452 2452 2453 2453 lsb-release = callPackage ../os-specific/linux/lsb-release { }; 2454 2454 2455 2455 + # lsh installs `bin/nettle-lfib-stream' and so does Nettle. Give the 2456 2456 + # former a lower priority than Nettle. 2457 2457 + lsh = lowPrio (callPackage ../tools/networking/lsh { }); 2458 2458 + 2455 2459 lshw = callPackage ../tools/system/lshw { }; 2456 2460 2457 2461 lxc = callPackage ../os-specific/linux/lxc { };