commit ef5da70d669321d482523ba64d331e7b09d6933b · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

services.openssh: rename several settings (#211991)

* services.openssh: rename several settings

... to match the sshd config format (makes transition smoother), namely:
services.openssh.forwardX11 -> services.openssh.settings.X11Forwarding
services.openssh.cyphers -> services.openssh.settings.Cyphers
services.openssh.macs -> services.openssh.settings.Macs
services.openssh.kexAlgorithms -> services.openssh.settings.KexAlgorithms
services.openssh.gatewayPorts -> services.openssh.settings.GatewayPorts

* release-notes: mention openssh renaming

* chore: regenerated release-notes

authored by Matthieu Coudron and committed by GitHub 3 years ago ef5da70d e74dc4bf

+157 -104

5 changed files

expand all

unified split

nixos

doc

manual

from_md

release-notes

rl-2305.section.xml

release-notes

rl-2305.section.md

modules

programs

ssh.nix

services

computing

slurm

slurm.nix

networking

ssh

sshd.nix

+65 -12

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

··· 522 522 <para> 523 523 A few openssh options have been moved from extraConfig to the 524 524 new freeform option <literal>settings</literal> and renamed as 525 - follow: 526 - <literal>services.openssh.kbdInteractiveAuthentication</literal> 527 - to 528 - <literal>services.openssh.settings.KbdInteractiveAuthentication</literal>, 529 - <literal>services.openssh.passwordAuthentication</literal> to 530 - <literal>services.openssh.settings.PasswordAuthentication</literal>, 531 - <literal>services.openssh.useDns</literal> to 532 - <literal>services.openssh.settings.UseDns</literal>, 533 - <literal>services.openssh.permitRootLogin</literal> to 534 - <literal>services.openssh.settings.PermitRootLogin</literal>, 535 - <literal>services.openssh.logLevel</literal> to 536 - <literal>services.openssh.settings.LogLevel</literal>. 525 + follows: 537 526 </para> 527 + <itemizedlist spacing="compact"> 528 + <listitem> 529 + <para> 530 + <literal>services.openssh.forwardX11</literal> to 531 + <literal>services.openssh.settings.X11Forwarding</literal> 532 + </para> 533 + </listitem> 534 + <listitem> 535 + <para> 536 + <literal>services.openssh.kbdInteractiveAuthentication</literal> 537 + -> 538 + <literal>services.openssh.settings.KbdInteractiveAuthentication</literal> 539 + </para> 540 + </listitem> 541 + <listitem> 542 + <para> 543 + <literal>services.openssh.passwordAuthentication</literal> 544 + to 545 + <literal>services.openssh.settings.PasswordAuthentication</literal> 546 + </para> 547 + </listitem> 548 + <listitem> 549 + <para> 550 + <literal>services.openssh.useDns</literal> to 551 + <literal>services.openssh.settings.UseDns</literal> 552 + </para> 553 + </listitem> 554 + <listitem> 555 + <para> 556 + <literal>services.openssh.permitRootLogin</literal> to 557 + <literal>services.openssh.settings.PermitRootLogin</literal> 558 + </para> 559 + </listitem> 560 + <listitem> 561 + <para> 562 + <literal>services.openssh.logLevel</literal> to 563 + <literal>services.openssh.settings.LogLevel</literal> 564 + </para> 565 + </listitem> 566 + <listitem> 567 + <para> 568 + <literal>services.openssh.kexAlgorithms</literal> to 569 + <literal>services.openssh.settings.KexAlgorithms</literal> 570 + </para> 571 + </listitem> 572 + <listitem> 573 + <para> 574 + <literal>services.openssh.macs</literal> to 575 + <literal>services.openssh.settings.Macs</literal> 576 + </para> 577 + </listitem> 578 + <listitem> 579 + <para> 580 + <literal>services.openssh.cyphers</literal> to 581 + <literal>services.openssh.settings.Cyphers</literal> 582 + </para> 583 + </listitem> 584 + <listitem> 585 + <para> 586 + <literal>services.openssh.gatewayPorts</literal> to 587 + <literal>services.openssh.settings.GatewayPorts</literal> 588 + </para> 589 + </listitem> 590 + </itemizedlist> 538 591 </listitem> 539 592 <listitem> 540 593 <para>

+11 -1

nixos/doc/manual/release-notes/rl-2305.section.md

··· 128 128 129 129 - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package) 130 130 131 - - A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`. 131 + - A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follows: 132 + - `services.openssh.forwardX11` to `services.openssh.settings.X11Forwarding` 133 + - `services.openssh.kbdInteractiveAuthentication` -> `services.openssh.settings.KbdInteractiveAuthentication` 134 + - `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication` 135 + - `services.openssh.useDns` to `services.openssh.settings.UseDns` 136 + - `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin` 137 + - `services.openssh.logLevel` to `services.openssh.settings.LogLevel` 138 + - `services.openssh.kexAlgorithms` to `services.openssh.settings.KexAlgorithms` 139 + - `services.openssh.macs` to `services.openssh.settings.Macs` 140 + - `services.openssh.cyphers` to `services.openssh.settings.Cyphers` 141 + - `services.openssh.gatewayPorts` to `services.openssh.settings.GatewayPorts` 132 142 133 143 - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables. 134 144

+1 -1

nixos/modules/programs/ssh.nix

··· 282 282 config = { 283 283 284 284 programs.ssh.setXAuthLocation = 285 - mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.forwardX11); 285 + mkDefault (config.services.xserver.enable || config.programs.ssh.forwardX11 || config.services.openssh.settings.X11Forwarding); 286 286 287 287 assertions = 288 288 [ { assertion = cfg.forwardX11 -> cfg.setXAuthLocation;

+1 -1

nixos/modules/services/computing/slurm/slurm.nix

··· 383 383 "d /var/spool/slurmd 755 root root -" 384 384 ]; 385 385 386 - services.openssh.forwardX11 = mkIf cfg.client.enable (mkDefault true); 386 + services.openssh.settings.X11Forwarding = mkIf cfg.client.enable (mkDefault true); 387 387 388 388 systemd.services.slurmctld = mkIf (cfg.server.enable) { 389 389 path = with pkgs; [ wrappedSlurm munge coreutils ]

+79 -89

nixos/modules/services/networking/ssh/sshd.nix

··· 13 13 else pkgs.buildPackages.openssh; 14 14 15 15 # reports boolean as yes / no 16 - mkValueStringSshd = v: 16 + mkValueStringSshd = with lib; v: 17 17 if isInt v then toString v 18 18 else if isString v then v 19 19 else if true == v then "yes" 20 20 else if false == v then "no" 21 + else if isList v then concatStringsSep "," v 21 22 else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}"; 22 23 23 24 # dont use the "=" operator ··· 104 105 (mkRenamedOptionModule [ "services" "openssh" "useDns" ] [ "services" "openssh" "settings" "UseDns" ]) 105 106 (mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [ "services" "openssh" "settings" "PermitRootLogin" ]) 106 107 (mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [ "services" "openssh" "settings" "LogLevel" ]) 108 + (mkRenamedOptionModule [ "services" "openssh" "macs" ] [ "services" "openssh" "settings" "Macs" ]) 109 + (mkRenamedOptionModule [ "services" "openssh" "cyphers" ] [ "services" "openssh" "settings" "Cyphers" ]) 110 + (mkRenamedOptionModule [ "services" "openssh" "kexAlgorithms" ] [ "services" "openssh" "settings" "KexAlgorithms" ]) 111 + (mkRenamedOptionModule [ "services" "openssh" "gatewayPorts" ] [ "services" "openssh" "settings" "GatewayPorts" ]) 112 + (mkRenamedOptionModule [ "services" "openssh" "forwardX11" ] [ "services" "openssh" "settings" "X11Forwarding" ]) 107 113 ]; 108 114 109 115 ###### interface ··· 131 137 ''; 132 138 }; 133 139 134 - forwardX11 = mkOption { 135 - type = types.bool; 136 - default = false; 137 - description = lib.mdDoc '' 138 - Whether to allow X11 connections to be forwarded. 139 - ''; 140 - }; 141 - 142 140 allowSFTP = mkOption { 143 141 type = types.bool; 144 142 default = true; ··· 167 165 ''; 168 166 }; 169 167 170 - gatewayPorts = mkOption { 171 - type = types.str; 172 - default = "no"; 173 - description = lib.mdDoc '' 174 - Specifies whether remote hosts are allowed to connect to 175 - ports forwarded for the client. See 176 - {manpage}`sshd_config(5)`. 177 - ''; 178 - }; 179 - 180 168 ports = mkOption { 181 169 type = types.listOf types.port; 182 170 default = [22]; ··· 286 274 ''; 287 275 }; 288 276 289 - kexAlgorithms = mkOption { 290 - type = types.listOf types.str; 291 - default = [ 292 - "sntrup761x25519-sha512@openssh.com" 293 - "curve25519-sha256" 294 - "curve25519-sha256@libssh.org" 295 - "diffie-hellman-group-exchange-sha256" 296 - ]; 297 - description = lib.mdDoc '' 298 - Allowed key exchange algorithms 299 - 300 - Uses the lower bound recommended in both 301 - <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 302 - and 303 - <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 304 - ''; 305 - }; 306 - 307 - ciphers = mkOption { 308 - type = types.listOf types.str; 309 - default = [ 310 - "chacha20-poly1305@openssh.com" 311 - "aes256-gcm@openssh.com" 312 - "aes128-gcm@openssh.com" 313 - "aes256-ctr" 314 - "aes192-ctr" 315 - "aes128-ctr" 316 - ]; 317 - description = lib.mdDoc '' 318 - Allowed ciphers 319 - 320 - Defaults to recommended settings from both 321 - <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 322 - and 323 - <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 324 - ''; 325 - }; 326 - 327 - macs = mkOption { 328 - type = types.listOf types.str; 329 - default = [ 330 - "hmac-sha2-512-etm@openssh.com" 331 - "hmac-sha2-256-etm@openssh.com" 332 - "umac-128-etm@openssh.com" 333 - "hmac-sha2-512" 334 - "hmac-sha2-256" 335 - "umac-128@openssh.com" 336 - ]; 337 - description = lib.mdDoc '' 338 - Allowed MACs 339 - 340 - Defaults to recommended settings from both 341 - <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 342 - and 343 - <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 344 - ''; 345 - }; 346 277 347 278 348 279 settings = mkOption { ··· 374 305 ~/.ssh/authorized_keys from and sshd_config Match Host directives. 375 306 ''; 376 307 }; 377 - 308 + X11Forwarding = mkOption { 309 + type = types.bool; 310 + default = false; 311 + description = lib.mdDoc '' 312 + Whether to allow X11 connections to be forwarded. 313 + ''; 314 + }; 378 315 PasswordAuthentication = mkOption { 379 316 type = types.bool; 380 317 default = true; ··· 394 331 default = true; 395 332 description = lib.mdDoc '' 396 333 Specifies whether keyboard-interactive authentication is allowed. 334 + ''; 335 + }; 336 + GatewayPorts = mkOption { 337 + type = types.str; 338 + default = "no"; 339 + description = lib.mdDoc '' 340 + Specifies whether remote hosts are allowed to connect to 341 + ports forwarded for the client. See 342 + {manpage}`sshd_config(5)`. 343 + ''; 344 + }; 345 + KexAlgorithms = mkOption { 346 + type = types.listOf types.str; 347 + default = [ 348 + "sntrup761x25519-sha512@openssh.com" 349 + "curve25519-sha256" 350 + "curve25519-sha256@libssh.org" 351 + "diffie-hellman-group-exchange-sha256" 352 + ]; 353 + description = lib.mdDoc '' 354 + Allowed key exchange algorithms 355 + 356 + Uses the lower bound recommended in both 357 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 358 + and 359 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 360 + ''; 361 + }; 362 + Macs = mkOption { 363 + type = types.listOf types.str; 364 + default = [ 365 + "hmac-sha2-512-etm@openssh.com" 366 + "hmac-sha2-256-etm@openssh.com" 367 + "umac-128-etm@openssh.com" 368 + "hmac-sha2-512" 369 + "hmac-sha2-256" 370 + "umac-128@openssh.com" 371 + ]; 372 + description = lib.mdDoc '' 373 + Allowed MACs 374 + 375 + Defaults to recommended settings from both 376 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 377 + and 378 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 379 + ''; 380 + }; 381 + Ciphers = mkOption { 382 + type = types.listOf types.str; 383 + default = [ 384 + "chacha20-poly1305@openssh.com" 385 + "aes256-gcm@openssh.com" 386 + "aes128-gcm@openssh.com" 387 + "aes256-ctr" 388 + "aes192-ctr" 389 + "aes128-ctr" 390 + ]; 391 + description = lib.mdDoc '' 392 + Allowed ciphers 393 + 394 + Defaults to recommended settings from both 395 + <https://stribika.github.io/2015/01/04/secure-secure-shell.html> 396 + and 397 + <https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67> 397 398 ''; 398 399 }; 399 400 }; ··· 555 556 ${optionalString cfgc.setXAuthLocation '' 556 557 XAuthLocation ${pkgs.xorg.xauth}/bin/xauth 557 558 ''} 558 - 559 - X11Forwarding ${if cfg.forwardX11 then "yes" else "no"} 560 - 561 559 ${optionalString cfg.allowSFTP '' 562 560 Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags} 563 561 ''} 564 - 565 - GatewayPorts ${cfg.gatewayPorts} 566 - 567 562 PrintMotd no # handled by pam_motd 568 - 569 563 AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} 570 564 ${optionalString (cfg.authorizedKeysCommand != "none") '' 571 565 AuthorizedKeysCommand ${cfg.authorizedKeysCommand} ··· 575 569 ${flip concatMapStrings cfg.hostKeys (k: '' 576 570 HostKey ${k.path} 577 571 '')} 578 - 579 - KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms} 580 - Ciphers ${concatStringsSep "," cfg.ciphers} 581 - MACs ${concatStringsSep "," cfg.macs} 582 572 ''; 583 573 584 - assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; 574 + assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; 585 575 message = "cannot enable X11 forwarding without setting xauth location";}] 586 576 ++ forEach cfg.listenAddresses ({ addr, ... }: { 587 577 assertion = addr != null;