Commit Graph

20 Commits

Author SHA1 Message Date
Eelco Dolstra
f6eece6f8f programs.ssh.knownHosts: Use attribute name
This allows writing:

  programs.ssh.knownHosts."10.1.2.3".publicKey = "bar";

instead of

  programs.ssh.knownHosts = [ { hostNames = [ "10.1.2.3" ]; publicKey = "bar"; } ];
2015-08-27 15:32:46 +02:00
Eelco Dolstra
7c6ff6c1da programs.ssh.knownHosts: Use submodule 2015-08-27 15:32:46 +02:00
Eelco Dolstra
287c08d8a3 Rename services.openssh.knownHosts -> programs.ssh.knownHosts
This option configures the SSH client, not the server.
2015-08-27 15:32:46 +02:00
Eelco Dolstra
401782cb67 Revert "openssh: 6.9p1 -> 7.0p1"
This reverts commit a8eb2a6a81. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)
2015-08-20 14:08:18 +02:00
Eelco Dolstra
1f2eef5ae9 openssh: Re-enable DSA client keys
This was broken by a8eb2a6a81.
2015-08-18 13:11:45 +02:00
Eelco Dolstra
6e6a96d42c Some more type cleanup 2015-06-15 18:18:46 +02:00
Thomas Tuegel
4b10907152 ssh: make askPassword an option
By making askPassword an option, desktop environment modules can
override the default x11_ssh_askpassword with their own equivalent for
better integration. For example, KDE 5 uses plasma5.ksshaskpass instead.
2015-03-11 11:49:29 -05:00
Eelco Dolstra
36d0f367de ssh-agent: Fix asking for confirmation via $SSH_ASKPASS
This was lost back in
ffedee6ed5. Getting this to work is
slightly tricky because ssh-agent runs as a user unit, and so doesn't
know the user's $DISPLAY.
2015-02-25 14:31:17 +01:00
Eelco Dolstra
63c14e259d ssh-agent: Don't have a timeout by default
IMHO, having a short timeout (1h) defeats the point of using
ssh-agent, which is not to have to retype passphrases all the time. Of
course, users who want timeouts can set programs.ssh.agentTimeout.

This restores the 14.04 behaviour.
2014-12-18 15:34:29 +01:00
Aristid Breitkreuz
2fd7e5f39d ssh-agent: use types.nullOr 2014-11-15 12:33:01 +01:00
Aristid Breitkreuz
d57110fabc ssh-agent: make key timeout optional 2014-11-15 12:13:25 +01:00
Aristid Breitkreuz
d70336f37c limit the amount of time ssh-agent keeps a key (default: 1h) 2014-11-15 12:13:25 +01:00
William A. Kennington III
bab5efd237 nixos/ssh: Allow user to configure the package that provides ssh/sshd 2014-09-11 22:07:39 -07:00
Eelco Dolstra
85fdaed9de ssh-agent: Tweaks 2014-04-18 17:37:47 +02:00
Eelco Dolstra
ffedee6ed5 Start ssh-agent as a user unit
This has some advantages:

* You get ssh-agent regardless of how you logged in. Previously it was
  only started for X11 sessions.

* All sessions of a user share the same agent. So if you added a key
  on tty1, it will also be available on tty2.

* Systemd will restart ssh-agent if it dies.

* $SSH_AUTH_SOCK now points to the /run/user/<uid> directory, which is
  more secure than /tmp.

For bonus points, we should patch ssh-agent to support socket-based
activation...
2014-04-18 00:45:26 +02:00
Eelco Dolstra
29027fd1e1 Rewrite ‘with pkgs.lib’ -> ‘with lib’
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
2014-04-14 16:26:48 +02:00
William A. Kennington III
6c6d7dc11d ssh: Don't set xauth if not running xserver 2014-04-03 14:28:45 -05:00
Eelco Dolstra
408b8b5725 Add lots of missing option types 2013-10-30 18:47:43 +01:00
Eelco Dolstra
72ca782044 Fix an assertion set in the wrong place 2013-10-25 15:47:30 +02:00
Eelco Dolstra
5c1f8cbc70 Move all of NixOS to nixos/ in preparation of the repository merge 2013-10-10 13:28:20 +02:00