public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Refactored the sshd module.

Browse Source 
svn path=/nixos/branches/modular-nixos/; revision=16377
This commit is contained in:
Eelco Dolstra 2009-07-15 15:53:39 +00:00
parent c45cf3a28e
commit 889311f4ca
2 changed files with 108 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

188
modules/services/networking/ssh/sshd.nix
View File

@ -1,60 +1,9 @@
{pkgs, config, ...}: {pkgs, config, ...}:
###### interface
let let
inherit (pkgs.lib) mkOption mkIf; inherit (pkgs.lib) mkOption mkIf;
inherit (pkgs) openssh;
options = {
services = {
sshd = {
enable = mkOption {
default = false;
description = "
Whether to enable the Secure Shell daemon, which allows secure
remote logins.
";
};
forwardX11 = mkOption {
default = true;
description = "
Whether to enable sshd to forward X11 connections.
";
};
allowSFTP = mkOption {
default = true;
description = "
Whether to enable the SFTP subsystem in the SSH daemon. This
enables the use of commands such as <command>sftp</command> and
<command>sshfs</command>.
";
};
permitRootLogin = mkOption {
default = "yes";
description = "
Whether the root user can login using ssh. Valid options
are <command>yes</command>, <command>without-password</command>,
<command>forced-commands-only</command> or
<command>no</command>
";
};
gatewayPorts = mkOption {
default = "no";
description = "
Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf.
";
};
};
};
};
###### implementation
inherit (pkgs) writeText openssh;
cfg = (config.services.sshd); cfg = (config.services.sshd);
@ -62,28 +11,27 @@ let
nssModulesPath = config.system.nssModules.path; nssModulesPath = config.system.nssModules.path;
sshdConfig = writeText "sshd_config" '' sshdConfig = pkgs.writeText "sshd_config"
''
Protocol 2
Protocol 2 UsePAM yes
UsePAM yes ${if cfg.forwardX11 then "
X11Forwarding yes
XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth
" else "
X11Forwarding no
"}
${if cfg.forwardX11 then " ${if cfg.allowSFTP then "
X11Forwarding yes Subsystem sftp ${openssh}/libexec/sftp-server
XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth " else "
" else " "}
X11Forwarding no
"}
${if cfg.allowSFTP then " PermitRootLogin ${cfg.permitRootLogin}
Subsystem sftp ${openssh}/libexec/sftp-server GatewayPorts ${cfg.gatewayPorts}
" else " '';
"}
PermitRootLogin ${cfg.permitRootLogin}
GatewayPorts ${cfg.gatewayPorts}
'';
# !!! is this assertion evaluated anywhere??? # !!! is this assertion evaluated anywhere???
assertion = cfg.permitRootLogin == "yes" || assertion = cfg.permitRootLogin == "yes" ||
@ -93,44 +41,98 @@ let
in in
{
mkIf config.services.sshd.enable { ###### interface
require = [
options
];
users = { options = {
extraUsers = [
services.sshd = {
enable = mkOption {
default = false;
description = ''
Whether to enable the Secure Shell daemon, which allows secure
remote logins.
'';
};
forwardX11 = mkOption {
default = true;
description = ''
Whether to allow X11 connections to be forwarded.
'';
};
allowSFTP = mkOption {
default = true;
description = ''
Whether to enable the SFTP subsystem in the SSH daemon. This
enables the use of commands such as <command>sftp</command> and
<command>sshfs</command>.
'';
};
permitRootLogin = mkOption {
default = "yes";
description = ''
Whether the root user can login using ssh. Valid values are
<literal>yes</literal>, <literal>without-password</literal>,
<literal>forced-commands-only</literal> or
<literal>no</literal>.
'';
};
gatewayPorts = mkOption {
default = "no";
description = ''
Specifies whether remote hosts are allowed to connect to
ports forwarded for the client. See
<citerefentry><refentrytitle>sshd_config</refentrytitle>
<manvolnum>5</manvolnum></citerefentry>.
'';
};
};
};
###### implementation
config = mkIf config.services.sshd.enable {
users.extraUsers = pkgs.lib.singleton
{ name = "sshd"; { name = "sshd";
uid = config.ids.uids.sshd; uid = config.ids.uids.sshd;
description = "SSH privilege separation user"; description = "SSH privilege separation user";
home = "/var/empty"; home = "/var/empty";
} };
];
};
services = { jobs = pkgs.lib.singleton
extraJobs = [{ { name = "sshd";
name = "sshd";
job = '' description = "OpenSSH server";
description "SSH server"
start on network-interfaces/started startOn = "network-interfaces/started";
stop on network-interfaces/stop stopOn = "network-interfaces/stop";
env LD_LIBRARY_PATH=${nssModulesPath} environment = { LD_LIBRARY_PATH = nssModulesPath; };
start script preStart =
''
mkdir -m 0755 -p /etc/ssh mkdir -m 0755 -p /etc/ssh
if ! test -f /etc/ssh/ssh_host_dsa_key; then if ! test -f /etc/ssh/ssh_host_dsa_key; then
${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N "" ${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N ""
fi fi
end script '';
exec = "${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}";
respawn = true;
};
respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig}
'';
}];
}; };
} }

11
modules/system/upstart/upstart.nix
View File

@ -27,6 +27,8 @@ let
${if job.exec != "" then '' ${if job.exec != "" then ''
exec ${job.exec} exec ${job.exec}
'' else ""} '' else ""}
${if job.respawn then "respawn" else ""}
''; '';
in in
@ -155,6 +157,15 @@ in
''; '';
}; };
respawn = mkOption {
type = types.bool;
default = true;
description = ''
Whether to restart the job automatically if its process
ends unexpectedly.
'';
};
environment = mkOption { environment = mkOption {
type = types.attrs; type = types.attrs;
default = {}; default = {};