nixos/sshd: validate ssh configs during build #58718
Conversation
|
Will validation fail if someone utilizes the sshd What if I'm running Does If I don't want to be sounding too negative on this topic, but when a few attempts at implementing validation on the It's a shame there isn't some sort of stage between the building and activation of a generation that checks like this can run and then abort activation if the checks do not see succeed, leaving the user on the current generation without having cycled any services. |
Unless I'm missing something, this won't break validation (tested with
Same here. It seems as no content is validated, however syntax and the specified options.
IIRC this is also implemented for prometheus and I actually liked it while using that module.
That's actually an interesting idea for the "Future work" section of RFC#42 which actually recommends the use of config validation tools if available/possible. |
|
@Ma27 the history of this problem actually goes back years...
There are more issues/prs which discuss this, but the list above is all I could find with minimal effort. |
|
So unless I'm missing something, the main issues with config validation at build time are (1) issues with cross-builds and (2) false-positives when having a complex config that only works in a certain environment. (1) should be solvable by using If I understand thsi correctly, my approach simply checks the syntax and the used configuration keys. Does this look ok to you? Or am I missing something? |
|
@Ma27 The It looks like you have confirmed that the ssh configuration validation doesn't actually validate the environment at all, so in this case I'm happy that this PR is good to go 👍 |
With `sshd -t` config validation for SSH is possible. Until now, the config generated by Nix was applied without any validation (which is especially a problem for advanced config like `Match` blocks). When deploying broken ssh config with nixops to a remote machine it gets even harder to fix the problem due to the broken ssh that makes reverts with nixops impossible. This change performs the validation in a Nix build environment by creating a store path with the config and generating a mocked host key which seems to be needed for the validation. With a broken config, the deployment already fails during the build of the derivation. The original attempt was done in NixOS#56345 by adding a submodule for Match groups to make it harder screwing that up, however that made the module far more complex and config should be described in an easier way as described in NixOS/rfcs#42.
Ma27
force-pushed
the
validate-ssh-configs
branch
from
b85a26b
to
00a5222
Compare
Motivation for this change
With
sshd -tconfig validation for SSH is possible. Until now, theconfig generated by Nix was applied without any validation (which is
especially a problem for advanced config like
Matchblocks).When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.
This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.
The original attempt was done in #56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)