Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/sshd: implement support for Match groups #56345

Closed
wants to merge 1 commit into from

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Feb 25, 2019

Motivation for this change

This patch makes it way harder to screw Match groups in an sshd config
up. With a broken SSH, reverting with tools like nixops is way harder,
in some cases impossible.

The diff seems larger than it actually is, mainly because I moved all
options that can be used "globally" and in a Match group into its own
attribute set that will be merged into options.services.openssh and
for the matches submodule.

The Match config will be appended to /etc/ssh/sshd_config using
mkOrder 9999 to ensure that no extraConfig will be appended
afterwards and only applies to the last Match group.

It can be used like this now:

{
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    matches = [
      {
        # the given config only applies to the 10.23.42.0/24 subnet
        match."10.23.42.0/24" = "Address";
        config.permitRootLogin = "yes";
      }
    ];
  };
}

Finally extended the openssh testcase with another machine to demonstrate
the functionality by permitting root logins only from certain IPs.


Some additional notes:

  • I didn't add a changelog entry yet, as I'm not sure if this will land in 19.03
  • I've tested this in a local VM network and added another NixOS test. I'll deploy this to one of my machines in my personal setup later this afternoon just to confirm (EDIT: done)
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@Ma27 Ma27 requested a review from infinisil as a code owner February 25, 2019 13:44
@GrahamcOfBorg GrahamcOfBorg added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Feb 25, 2019
@Ma27
Copy link
Member Author

Ma27 commented Feb 25, 2019

@GrahamcOfBorg test openssh

@Ma27
Copy link
Member Author

Ma27 commented Feb 25, 2019

The test breaks on aarch64 because of a timeout btw.

Verified

This commit was signed with the committer’s verified signature. The key has expired.
Ma27 Maximilian Bosch
This patch makes it way harder to screw Match groups in an `sshd` config
up. With a broken SSH, reverting with tools like `nixops` is way harder,
in some cases impossible.

The diff seems larger than it actually is, mainly because I moved all
options that can be used "globally" and in a `Match` group into its own
attribute set that will be merged into `options.services.openssh` and
for the `matches` submodule.

The `Match` config will be appended to `/etc/ssh/sshd_config` using
`mkOrder 9999` to ensure that no `extraConfig` will be appended
afterwards and only applies to the last Match group.

It can be used like this now:

``` nix
{
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    matches = [
      {
        # the given config only applies to the 10.23.42.0/24 subnet
        match."10.23.42.0/24" = "Address";
        config.permitRootLogin = "yes";
      }
    ];
  };
}
```

Finally extended the `openssh` testcase with another machine to demonstrate
the functionality by permitting root logins only from certain IPs.
@Ma27 Ma27 force-pushed the implement-match-sections-for-sshd branch from d3793d9 to 7b1261c Compare February 25, 2019 15:05
@Ma27
Copy link
Member Author

Ma27 commented Feb 25, 2019

@GrahamcOfBorg test openssh

};

config = mkOption {
type = types.submodule ({ options = generalOptions; });
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably want to merge the values here with the configs from services.openssh. So if somebody sets services.openssh.permitRootLogin to no, each Match group should also have permitRootLogin set to no.

But I'll wait for some reviews from other folks, before spending more time on this :)

@Ma27
Copy link
Member Author

Ma27 commented Mar 23, 2019

Closing for now, mainly because of NixOS/rfcs#42 (also discussed in #nixos-chat some weeks ago).

I'm in favor of that approach and this adds even more complexity to the module system and hence makes the situation even worse. The main goal (making it harder to screw up ssh configs) can be achieved using sshd's config validation. I'll look how we can do this for our sshd_config and file a patch soon :)

@Ma27 Ma27 closed this Mar 23, 2019
@Ma27 Ma27 deleted the implement-match-sections-for-sshd branch March 23, 2019 23:40
Ma27 added a commit to Ma27/nixpkgs that referenced this pull request May 24, 2019

Verified

This commit was signed with the committer’s verified signature. The key has expired.
Ma27 Maximilian Bosch
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).

When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.

This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.

The original attempt was done in NixOS#56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants