JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initrd-ssh: Use initrd secrets for host keys

Browse Source
This commit is contained in:
Shea Levy 2017-04-02 15:35:45 -04:00
parent b09490a322
commit 3a26d09e15
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
nixos/modules/system/boot/initrd-ssh.nix
View File

@ -44,9 +44,10 @@ in
description = '' description = ''
RSA SSH private key file in the Dropbear format. RSA SSH private key file in the Dropbear format.
WARNING: This key is contained insecurely in the global Nix store. Do NOT WARNING: Unless your bootloader supports initrd secrets, this key is
use your regular SSH host private keys for this purpose or you'll expose contained insecurely in the global Nix store. Do NOT use your regular
them to regular users! SSH host private keys for this purpose or you'll expose them to
regular users!
''; '';
}; };
@ -56,9 +57,10 @@ in
description = '' description = ''
DSS SSH private key file in the Dropbear format. DSS SSH private key file in the Dropbear format.
WARNING: This key is contained insecurely in the global Nix store. Do NOT WARNING: Unless your bootloader supports initrd secrets, this key is
use your regular SSH host private keys for this purpose or you'll expose contained insecurely in the global Nix store. Do NOT use your regular
them to regular users! SSH host private keys for this purpose or you'll expose them to
regular users!
''; '';
}; };
@ -68,9 +70,10 @@ in
description = '' description = ''
ECDSA SSH private key file in the Dropbear format. ECDSA SSH private key file in the Dropbear format.
WARNING: This key is contained insecurely in the global Nix store. Do NOT WARNING: Unless your bootloader supports initrd secrets, this key is
use your regular SSH host private keys for this purpose or you'll expose contained insecurely in the global Nix store. Do NOT use your regular
them to regular users! SSH host private keys for this purpose or you'll expose them to
regular users!
''; '';
}; };
@ -97,10 +100,6 @@ in
boot.initrd.extraUtilsCommands = '' boot.initrd.extraUtilsCommands = ''
copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
${optionalString (cfg.hostRSAKey != null) "install -D ${cfg.hostRSAKey} $out/etc/dropbear/dropbear_rsa_host_key"}
${optionalString (cfg.hostDSSKey != null) "install -D ${cfg.hostDSSKey} $out/etc/dropbear/dropbear_dss_host_key"}
${optionalString (cfg.hostECDSAKey != null) "install -D ${cfg.hostECDSAKey} $out/etc/dropbear/dropbear_ecdsa_host_key"}
''; '';
boot.initrd.extraUtilsCommandsTest = '' boot.initrd.extraUtilsCommandsTest = ''
@ -116,9 +115,6 @@ in
touch /var/log/lastlog touch /var/log/lastlog
mkdir -p /etc/dropbear mkdir -p /etc/dropbear
${optionalString (cfg.hostRSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_rsa_host_key /etc/dropbear/dropbear_rsa_host_key"}
${optionalString (cfg.hostDSSKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_dss_host_key /etc/dropbear/dropbear_dss_host_key"}
${optionalString (cfg.hostECDSAKey != null) "ln -s $extraUtils/etc/dropbear/dropbear_ecdsa_host_key /etc/dropbear/dropbear_ecdsa_host_key"}
mkdir -p /root/.ssh mkdir -p /root/.ssh
${concatStrings (map (key: '' ${concatStrings (map (key: ''
@ -128,6 +124,11 @@ in
dropbear -s -j -k -E -m -p ${toString cfg.port} dropbear -s -j -k -E -m -p ${toString cfg.port}
''; '';
boot.initrd.secrets =
(optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) //
(optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) //
(optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; });
}; };
} }