-
-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/sshd: implement support for Match
groups
#56345
Conversation
@GrahamcOfBorg test openssh |
The test breaks on aarch64 because of a timeout btw. |
This patch makes it way harder to screw Match groups in an `sshd` config up. With a broken SSH, reverting with tools like `nixops` is way harder, in some cases impossible. The diff seems larger than it actually is, mainly because I moved all options that can be used "globally" and in a `Match` group into its own attribute set that will be merged into `options.services.openssh` and for the `matches` submodule. The `Match` config will be appended to `/etc/ssh/sshd_config` using `mkOrder 9999` to ensure that no `extraConfig` will be appended afterwards and only applies to the last Match group. It can be used like this now: ``` nix { services.openssh = { enable = true; permitRootLogin = "no"; matches = [ { # the given config only applies to the 10.23.42.0/24 subnet match."10.23.42.0/24" = "Address"; config.permitRootLogin = "yes"; } ]; }; } ``` Finally extended the `openssh` testcase with another machine to demonstrate the functionality by permitting root logins only from certain IPs.
d3793d9
to
7b1261c
Compare
@GrahamcOfBorg test openssh |
}; | ||
|
||
config = mkOption { | ||
type = types.submodule ({ options = generalOptions; }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We probably want to merge the values here with the configs from services.openssh
. So if somebody sets services.openssh.permitRootLogin
to no
, each Match
group should also have permitRootLogin
set to no
.
But I'll wait for some reviews from other folks, before spending more time on this :)
Closing for now, mainly because of NixOS/rfcs#42 (also discussed in I'm in favor of that approach and this adds even more complexity to the module system and hence makes the situation even worse. The main goal (making it harder to screw up ssh configs) can be achieved using sshd's config validation. I'll look how we can do this for our sshd_config and file a patch soon :) |
With `sshd -t` config validation for SSH is possible. Until now, the config generated by Nix was applied without any validation (which is especially a problem for advanced config like `Match` blocks). When deploying broken ssh config with nixops to a remote machine it gets even harder to fix the problem due to the broken ssh that makes reverts with nixops impossible. This change performs the validation in a Nix build environment by creating a store path with the config and generating a mocked host key which seems to be needed for the validation. With a broken config, the deployment already fails during the build of the derivation. The original attempt was done in NixOS#56345 by adding a submodule for Match groups to make it harder screwing that up, however that made the module far more complex and config should be described in an easier way as described in NixOS/rfcs#42.
Motivation for this change
This patch makes it way harder to screw Match groups in an
sshd
configup. With a broken SSH, reverting with tools like
nixops
is way harder,in some cases impossible.
The diff seems larger than it actually is, mainly because I moved all
options that can be used "globally" and in a
Match
group into its ownattribute set that will be merged into
options.services.openssh
andfor the
matches
submodule.The
Match
config will be appended to/etc/ssh/sshd_config
usingmkOrder 9999
to ensure that noextraConfig
will be appendedafterwards and only applies to the last Match group.
It can be used like this now:
Finally extended the
openssh
testcase with another machine to demonstratethe functionality by permitting root logins only from certain IPs.
Some additional notes:
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)