From d285fea2da116a7c7f662d0c15af5b5575fd40c7 Mon Sep 17 00:00:00 2001 From: Marc Weber Date: Fri, 6 Mar 2009 12:26:08 +0000 Subject: [PATCH] Convert "sshd" daemon Should the client config in etc/default.nix be moved as wel? svn path=/nixos/branches/fix-style/; revision=14370 --- system/options.nix | 45 +------------ upstart-jobs/default.nix | 9 --- upstart-jobs/sshd.nix | 139 ++++++++++++++++++++++++++++----------- 3 files changed, 103 insertions(+), 90 deletions(-) diff --git a/system/options.nix b/system/options.nix index 97b53917f24..6018128459e 100644 --- a/system/options.nix +++ b/system/options.nix @@ -480,50 +480,6 @@ in }; - sshd = { - - enable = mkOption { - default = false; - description = " - Whether to enable the Secure Shell daemon, which allows secure - remote logins. - "; - }; - - forwardX11 = mkOption { - default = true; - description = " - Whether to enable sshd to forward X11 connections. - "; - }; - - allowSFTP = mkOption { - default = true; - description = " - Whether to enable the SFTP subsystem in the SSH daemon. This - enables the use of commands such as sftp and - sshfs. - "; - }; - - permitRootLogin = mkOption { - default = "yes"; - description = " - Whether the root user can login using ssh. Valid options - are yes, without-password, - forced-commands-only or - no - "; - }; - - gatewayPorts = mkOption { - default = "no"; - description = " - Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf. - "; - }; - }; - lshd = { enable = mkOption { @@ -1699,6 +1655,7 @@ in (import ../upstart-jobs/gw6c.nix) # Gateway6 (import ../upstart-jobs/syslogd.nix) (import ../upstart-jobs/dhcpd.nix) + (import ../upstart-jobs/sshd.nix) # nix (import ../upstart-jobs/nix.nix) # nix options and daemon diff --git a/upstart-jobs/default.nix b/upstart-jobs/default.nix index 043e82d1c44..f2f48d0e282 100644 --- a/upstart-jobs/default.nix +++ b/upstart-jobs/default.nix @@ -141,15 +141,6 @@ let inherit config; }) - # SSH daemon. - ++ optional config.services.sshd.enable - (import ../upstart-jobs/sshd.nix { - inherit (pkgs) writeText openssh glibc; - inherit (pkgs.xorg) xauth; - inherit nssModulesPath; - inherit (config.services.sshd) forwardX11 allowSFTP permitRootLogin gatewayPorts; - }) - # GNU lshd SSH2 deamon. ++ optional config.services.lshd.enable (import ../upstart-jobs/lshd.nix { diff --git a/upstart-jobs/sshd.nix b/upstart-jobs/sshd.nix index e9b916e81d3..a0764d1177c 100644 --- a/upstart-jobs/sshd.nix +++ b/upstart-jobs/sshd.nix @@ -1,14 +1,66 @@ -{ writeText, openssh, glibc, xauth -, nssModulesPath -, forwardX11, allowSFTP, permitRootLogin, gatewayPorts -}: +{pkgs, config, ...}: -assert permitRootLogin == "yes" || - permitRootLogin == "without-password" || - permitRootLogin == "forced-commands-only" || - permitRootLogin == "no"; - +###### interface let + inherit (pkgs.lib) mkOption mkIf; + + options = { + services = { + sshd = { + + enable = mkOption { + default = false; + description = " + Whether to enable the Secure Shell daemon, which allows secure + remote logins. + "; + }; + + forwardX11 = mkOption { + default = true; + description = " + Whether to enable sshd to forward X11 connections. + "; + }; + + allowSFTP = mkOption { + default = true; + description = " + Whether to enable the SFTP subsystem in the SSH daemon. This + enables the use of commands such as sftp and + sshfs. + "; + }; + + permitRootLogin = mkOption { + default = "yes"; + description = " + Whether the root user can login using ssh. Valid options + are yes, without-password, + forced-commands-only or + no + "; + }; + + gatewayPorts = mkOption { + default = "no"; + description = " + Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See man sshd_conf. + "; + }; + }; + }; + }; + +###### implementation + + inherit (pkgs) writeText openssh; + + cfg = (config.services.sshd); + + nssModules = config.system.nssModules.list; + + nssModulesPath = config.system.nssModules.path; sshdConfig = writeText "sshd_config" '' @@ -16,55 +68,68 @@ let UsePAM yes - ${if forwardX11 then " + ${if cfg.forwardX11 then " X11Forwarding yes - XAuthLocation ${xauth}/bin/xauth + XAuthLocation ${pkgs.xlibs.xauth}/bin/xauth " else " X11Forwarding no "} - ${if allowSFTP then " + ${if cfg.allowSFTP then " Subsystem sftp ${openssh}/libexec/sftp-server " else " "} - PermitRootLogin ${permitRootLogin} - GatewayPorts ${gatewayPorts} + PermitRootLogin ${cfg.permitRootLogin} + GatewayPorts ${cfg.gatewayPorts} ''; sshdUid = (import ../system/ids.nix).uids.sshd; + assertion = cfg.permitRootLogin == "yes" || + cfg.permitRootLogin == "without-password" || + cfg.permitRootLogin == "forced-commands-only" || + cfg.permitRootLogin == "no"; + in -{ - name = "sshd"; - users = [ - { name = "sshd"; - uid = (import ../system/ids.nix).uids.sshd; - description = "SSH privilege separation user"; - home = "/var/empty"; - } +mkIf config.services.sshd.enable { + require = [ + options ]; - - job = '' - description "SSH server" - start on network-interfaces/started - stop on network-interfaces/stop + services = { + extraJobs = [{ + name = "sshd"; - env LD_LIBRARY_PATH=${nssModulesPath} + users = [ + { name = "sshd"; + uid = (import ../system/ids.nix).uids.sshd; + description = "SSH privilege separation user"; + home = "/var/empty"; + } + ]; + + job = '' + description "SSH server" - start script - mkdir -m 0755 -p /etc/ssh + start on network-interfaces/started + stop on network-interfaces/stop - if ! test -f /etc/ssh/ssh_host_dsa_key; then - ${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N "" - fi - end script + env LD_LIBRARY_PATH=${nssModulesPath} - respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig} - ''; - + start script + mkdir -m 0755 -p /etc/ssh + + if ! test -f /etc/ssh/ssh_host_dsa_key; then + ${openssh}/bin/ssh-keygen -t dsa -b 1024 -f /etc/ssh/ssh_host_dsa_key -N "" + fi + end script + + respawn ${openssh}/sbin/sshd -D -h /etc/ssh/ssh_host_dsa_key -f ${sshdConfig} + ''; + }]; + }; }