Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh-agent: add agentPKCS11Whitelist option #71139

Merged
merged 1 commit into from Nov 4, 2019
Merged

ssh-agent: add agentPKCS11Whitelist option #71139

merged 1 commit into from Nov 4, 2019

Conversation

philandstuff
Copy link
Contributor

@philandstuff philandstuff commented Oct 14, 2019
edited

Motivation for this change

If you want to be able to use OpenSC with ssh-agent, you need to be able
to add it to the ssh-agent whitelist. This adds an option,
agentPKCS11Whitelist, that exposes the option.

Note that I currently work around this by injecting the parameter into
the agentTimeout option:

programs.ssh.agentTimeout = "1h -P ${pkgs.opensc}/lib/opensc-pkcs11.so";

but I feel that a proper option would be better :)

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@philandstuff
ssh-agent: add agentPKCS11Whitelist option
8120184 
If you want to be able to use OpenSC with ssh-agent, you need to be able
to add it to the ssh-agent whitelist.  This adds an option,
agentPKCS11Whitelist, that exposes the option.

Note that I currently work around this by injecting the parameter into
the agentTimeout option:

    programs.ssh.agentTimeout = "1h -P ${pkgs.opensc}/lib/opensc-pkcs11.so";

but I feel that a proper option would be better :)
@globin globin merged commit db502b0 into NixOS:master Nov 4, 2019
@Izorkin
Copy link
Contributor

Izorkin commented Nov 7, 2019

After this update, this error occurs:

building all machine configurations...
error: while evaluating the attribute 'buildCommand' of the derivation 'nixops-machines' at /home/user/works/src-nix/nixpkgs/pkgs/build-support/trivial-builders.nix:7:14:
while evaluating anonymous function at /nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/share/nix/nixops/eval-machine-info.nix:371:46, called from undefined position:
while evaluating the attribute 'activationScript' of the derivation 'nixos-system-NixOS-Test-20.03.git.16fee33' at /home/user/works/src-nix/nixpkgs/nixos/modules/system/activation/top-level.nix:102:5:
while evaluating the attribute 'system.activationScripts.script' at /home/user/works/src-nix/nixpkgs/nixos/modules/system/activation/activation-script.nix:68:9:
while evaluating 'textClosureMap' at /home/user/works/src-nix/nixpkgs/lib/strings-with-deps.nix:70:35, called from /home/user/works/src-nix/nixpkgs/nixos/modules/system/activation/activation-script.nix:89:18:
while evaluating 'id' at /home/user/works/src-nix/nixpkgs/lib/trivial.nix:14:5, called from undefined position:
while evaluating the attribute 'text' at /home/user/works/src-nix/nixpkgs/nixos/modules/system/activation/activation-script.nix:9:5:
while evaluating the attribute 'text' at /home/user/works/src-nix/nixpkgs/lib/strings-with-deps.nix:77:38:
while evaluating the attribute 'sources' of the derivation 'etc' at /home/user/works/src-nix/nixpkgs/nixos/modules/system/etc/etc.nix:12:5:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/nixos/modules/system/etc/etc.nix:20:20, called from undefined position:
while evaluating the attribute 'source' at undefined position:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:75:45, called from undefined position:
while evaluating the attribute 'value' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:338:9:
while evaluating the option `environment.etc.systemd/user.source':
while evaluating the attribute 'mergedValue' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:370:5:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:370:32, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:370:19:
while evaluating 'check' at /home/user/works/src-nix/nixpkgs/lib/types.nix:246:15, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:371:10:
while evaluating the attribute 'buildCommand' of the derivation 'user-units' at /home/user/works/src-nix/nixpkgs/pkgs/build-support/trivial-builders.nix:7:14:
while evaluating the attribute 'text' of the derivation 'unit-ssh-agent.service' at /home/user/works/src-nix/nixpkgs/pkgs/build-support/trivial-builders.nix:7:14:
while evaluating the attribute 'text' at undefined position:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:75:45, called from undefined position:
while evaluating the attribute 'value' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:338:9:
while evaluating the option `systemd.user.units.ssh-agent.service.text':
while evaluating the attribute 'isDefined' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:375:5:
while evaluating the attribute 'values' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:364:9:
while evaluating the attribute 'values' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:458:7:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:350:28, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:350:17:
while evaluating 'dischargeProperties' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:417:25, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:351:62:
while evaluating the attribute 'value' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:234:44:
while evaluating 'attrsToSection' at /home/user/works/src-nix/nixpkgs/nixos/modules/system/boot/systemd-lib.nix:104:20, called from /home/user/works/src-nix/nixpkgs/nixos/modules/system/boot/systemd.nix:342:13:
while evaluating 'mapAttrsToList' at /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:233:23, called from /home/user/works/src-nix/nixpkgs/nixos/modules/system/boot/systemd-lib.nix:105:33:
while evaluating the attribute 'serviceConfig' at undefined position:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:75:45, called from undefined position:
while evaluating the attribute 'value' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:338:9:
while evaluating the option `systemd.user.services.ssh-agent.serviceConfig':
while evaluating the attribute 'mergedValue' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:370:5:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:370:32, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:370:19:
while evaluating 'merge' at /home/user/works/src-nix/nixpkgs/lib/types.nix:283:20, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:373:8:
while evaluating 'filterAttrs' at /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:124:23, called from /home/user/works/src-nix/nixpkgs/lib/types.nix:284:35:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:125:29, called from /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:125:18:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/types.nix:284:51, called from /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:125:62:
while evaluating the attribute 'ExecStart' at /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:344:7:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/types.nix:284:86, called from /home/user/works/src-nix/nixpkgs/lib/attrsets.nix:344:15:
while evaluating the attribute 'optionalValue' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:377:5:
while evaluating the attribute 'values' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:364:9:
while evaluating the attribute 'values' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:458:7:
while evaluating anonymous function at /home/user/works/src-nix/nixpkgs/lib/modules.nix:350:28, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:350:17:
while evaluating 'dischargeProperties' at /home/user/works/src-nix/nixpkgs/lib/modules.nix:417:25, called from /home/user/works/src-nix/nixpkgs/lib/modules.nix:351:62:
while evaluating the attribute 'value' at /home/user/works/src-nix/nixpkgs/lib/types.nix:288:60:
attempt to call something which is not a function but a string, at /home/user/works/src-nix/nixpkgs/nixos/modules/programs/ssh.nix:254:17
Traceback (most recent call last):
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/bin/..nixops-wrapped-wrapped", line 991, in <module>
    args.op()
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/bin/..nixops-wrapped-wrapped", line 412, in op_deploy
    max_concurrent_activate=args.max_concurrent_activate)
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1063, in deploy
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1052, in run_with_notify
    f()
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1063, in <lambda>
    self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 1003, in _deploy
    self.configs_path = self.build_configs(dry_run=dry_run, repair=repair, include=include, exclude=exclude)
  File "/nix/store/w21dnw3dqjgdxjg0awip6jcwdx947i5z-nixops-1.7/lib/python2.7/site-packages/nixops/deployment.py", line 671, in build_configs
    raise Exception("unable to build all machine configurations")
Exception: unable to build all machine configurations

@Izorkin
Copy link
Contributor

Izorkin commented Nov 7, 2019

My ssh configuration:

let
  cfgKey01 = "~/.ssh/id_ed25519";
  cfgKey02 = "~/.ssh/id_ed25519_2";
  cfgKey03 = "~/.ssh/id_rsa";

in {
  programs.ssh = {
    startAgent = true;
    pubkeyAcceptedKeyTypes = [ "ssh-ed25519" "ssh-rsa" ];
    hostKeyAlgorithms = [ "ssh-ed25519" "ssh-rsa" ];
    extraConfig = ''
      AddressFamily inet
      ConnectTimeout 60
      ServerAliveCountMax 10
      ServerAliveInterval 30
      Compression no
      TCPKeepAlive no

      RekeyLimit 256m 30m

      ChallengeResponseAuthentication no
      FingerprintHash sha256
      GSSAPIAuthentication no
      HostbasedAuthentication no
      PasswordAuthentication yes
      PreferredAuthentications publickey,password
      PubkeyAuthentication yes

      BatchMode no
      CheckHostIP yes
      ControlMaster no
      ForwardAgent no
      ForwardX11 no
      ForwardX11Trusted no
      HashKnownHosts no
      StrictHostKeyChecking ask
      UpdateHostKeys no

      IdentitiesOnly yes
      IdentityFile ~/.ssh/id_ed25519
      UserKnownHostsFile ~/.ssh/known_hosts
      GlobalKnownHostsFile /etc/ssh/ssh_known_hosts
      ...
      Host *
        KexAlgorithms curve25519-sha256@libssh.org
        Ciphers chacha20-poly1305@openssh.com
        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512
    '';
  };
}

mebubo
mebubo reviewed Nov 7, 2019
View reviewed changes
nixos/modules/programs/ssh.nix
@@ -241,6 +251,7 @@ in
ExecStart =
"${cfg.package}/bin/ssh-agent " +
optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") +
optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ")
Copy link
Contributor

@mebubo mebubo Nov 7, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@philandstuff, @globin, looks like there is a + missing at the end of the line, and it leads to

error: attempt to call something which is not a function but a string, at .../nixpkgs/nixos/modules/programs/ssh.nix:254:17

@philandstuff philandstuff mentioned this pull request Nov 7, 2019
Merged
10 tasks
worldofpeace added a commit that referenced this pull request Nov 8, 2019
@worldofpeace
Merge pull request #73004 from philandstuff/patch-1
b53e773 
ssh-agent: fix syntax problem from #71139
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Nov 10, 2019
@philandstuff @dtzWill
ssh-agent: fix syntax problem from NixOS#71139
3509b53 
Oops, in NixOS#71139 a missing `+` broke things quite badly.  Thanks @lzorkin for the
report and @mebubo for diagnosing the problem.

(cherry picked from commit ce7d4e4)
@philandstuff philandstuff mentioned this pull request Jan 13, 2020
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mebubo mebubo mebubo left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@philandstuff @Izorkin @mebubo @globin