public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixpkgs/nixos/modules/system/boot/initrd-ssh.nix

203 lines
6.1 KiB
Nix
Raw Normal View History

Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.boot.initrd.network.ssh;
in
{
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
options.boot.initrd.network.ssh = {
enable = mkOption {
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
type = types.bool;
default = false;
description = ''
Start SSH service during initrd boot. It can be used to debug failing
boot on a remote server, enter pasphrase for an encrypted partition etc.
Service is killed when stage-1 boot is finished.
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
The sshd configuration is largely inherited from
<option>services.openssh</option>.
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
'';
};
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
port = mkOption {
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
type = types.int;
default = 22;
description = ''
Port on which SSH initrd service should listen.
'';
};
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
shell = mkOption {
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
type = types.str;
default = "/bin/ash";
description = ''
Login shell of the remote user. Can be used to limit actions user can do.
'';
};
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
hostKeys = mkOption {
type = types.listOf (types.either types.str types.path);
default = [];
example = [
"/etc/secrets/initrd/ssh_host_rsa_key"
"/etc/secrets/initrd/ssh_host_ed25519_key"
];
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
description = ''
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
Specify SSH host keys to import into the initrd.
To generate keys, use
<citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
<screen>
<prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
nixos/initrd-ssh: fix typo in docs
2020-04-11 16:19:48 +01:00
<prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
</screen>
<warning>
<para>
Unless your bootloader supports initrd secrets, these keys
are stored insecurely in the global Nix store. Do NOT use
your regular SSH host private keys for this purpose or
you'll expose them to regular users!
</para>
<para>
Additionally, even if your initrd supports secrets, if
you're using initrd SSH to unlock an encrypted disk then
using your regular host keys exposes the private keys on
your unencrypted boot partition.
</para>
</warning>
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
'';
};
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
authorizedKeys = mkOption {
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
type = types.listOf types.str;
nixos/modules: users.(extraUsers|extraGroup->users|group)
2018-06-30 01:58:35 +02:00
default = config.users.users.root.openssh.authorizedKeys.keys;
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
defaultText = "config.users.users.root.openssh.authorizedKeys.keys";
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
description = ''
Authorized keys for the root user on initrd.
'';
};
};
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
imports =
map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) ''
The initrd SSH functionality now uses OpenSSH rather than Dropbear.
If you want to keep your existing initrd SSH host keys, convert them with
$ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key
and then set options.boot.initrd.network.ssh.hostKeys.
'') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ];
config = let
# Nix complains if you include a store hash in initrd path names, so
# as an awful hack we drop the first character of the hash.
initrdKeyPath = path: if isString path
then path
else let name = builtins.baseNameOf path; in
builtins.unsafeDiscardStringContext ("/etc/ssh/" +
substring 1 (stringLength name) name);
sshdCfg = config.services.openssh;
sshdConfig = ''
Port ${toString cfg.port}
PasswordAuthentication no
ChallengeResponseAuthentication no
${flip concatMapStrings cfg.hostKeys (path: ''
HostKey ${initrdKeyPath path}
'')}
KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms}
Ciphers ${concatStringsSep "," sshdCfg.ciphers}
MACs ${concatStringsSep "," sshdCfg.macs}
LogLevel ${sshdCfg.logLevel}
${if sshdCfg.useDns then ''
UseDNS yes
'' else ''
UseDNS no
''}
'';
in mkIf (config.boot.initrd.network.enable && cfg.enable) {
initrd-ssh service: check that authorized keys are added
2016-09-20 12:04:48 +03:00
assertions = [
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
{
assertion = cfg.authorizedKeys != [];
initrd-ssh service: check that authorized keys are added
2016-09-20 12:04:48 +03:00
message = "You should specify at least one authorized key for initrd SSH";
}
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
{
assertion = cfg.hostKeys != [];
message = ''
You must now pre-generate the host keys for initrd SSH.
nixos/initrd-ssh: fix typo (#84719)
2020-04-08 23:04:29 +08:00
See the boot.initrd.network.ssh.hostKeys documentation
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
for instructions.
'';
}
initrd-ssh service: check that authorized keys are added
2016-09-20 12:04:48 +03:00
];
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
boot.initrd.extraUtilsCommands = ''
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
copy_bin_and_libs ${pkgs.openssh}/bin/sshd
initrd-ssh service: fix build
2016-05-07 15:38:34 +03:00
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
'';
boot.initrd.extraUtilsCommandsTest = ''
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
# sshd requires a host key to check config, so we pass in the test's
echo -n ${escapeShellArg sshdConfig} |
$out/bin/sshd -t -f /dev/stdin \
-h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
'';
boot.initrd.network.postCommands = ''
initrd-ssh module: don't check if network is up We already do this in initrd-network.
2016-02-03 16:37:10 +03:00
echo '${cfg.shell}' > /etc/shells
echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd
initrd-ssh module: don't check if network is up We already do this in initrd-network.
2016-02-03 16:37:10 +03:00
echo 'passwd: files' > /etc/nsswitch.conf
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
mkdir -p /var/log /var/empty
initrd-ssh module: don't check if network is up We already do this in initrd-network.
2016-02-03 16:37:10 +03:00
touch /var/log/lastlog
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
mkdir -p /etc/ssh
echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config
echo "export PATH=$PATH" >> /etc/profile
echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
initrd-ssh module: don't check if network is up We already do this in initrd-network.
2016-02-03 16:37:10 +03:00
mkdir -p /root/.ssh
${concatStrings (map (key: ''
initrd-ssh: fix authorized_key generation with multiple keys multiple entries should be separated by newline
2016-11-16 14:17:42 +00:00
echo ${escapeShellArg key} >> /root/.ssh/authorized_keys
initrd-ssh module: don't check if network is up We already do this in initrd-network.
2016-02-03 16:37:10 +03:00
'') cfg.authorizedKeys)}
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
${flip concatMapStrings cfg.hostKeys (path: ''
# keys from Nix store are world-readable, which sshd doesn't like
chmod 0600 "${initrdKeyPath path}"
'')}
/bin/sshd -e
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
'';
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
boot.initrd.postMountCommands = ''
# Stop sshd cleanly before stage 2.
#
# If you want to keep it around to debug post-mount SSH issues,
# run `touch /.keep_sshd` (either from an SSH session or in
# another initrd hook like preDeviceCommands).
if ! [ -e /.keep_sshd ]; then
pkill -x sshd
fi
'';
initrd-ssh: Use initrd secrets for host keys
2017-04-02 15:35:45 -04:00
nixos/initrd-ssh: switch from Dropbear to OpenSSH Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
2020-03-14 18:29:08 +00:00
boot.initrd.secrets = listToAttrs
(map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);
Split the initrd sshd support into a separate module Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands should work fine.
2016-02-02 17:25:18 +01:00
};
}
Reference in New Issue Copy Permalink