nixos/ssh: Add pkcs11 support for ssh agent #49755
Conversation
ssh-agent needs to get an explicit, non-symlinked whitelist of directories that contains pkcs11 providers (which are shared libraries). By default this is /lib and /usr/lib, which of course have no effect in NixOS. When the user tries to explicitly override this whitelist using the -P flag of ssh-agent, and set it to -P /run/current-system/sw/lib/* this will still not work, as the ssh-add command resolves symlinks before sending a request to ssh-agent. e.g. ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so will result in an refusing PKCS#11 add of "/nix/store/xxxx=-opensc-xx/lib/opensc-pkcs11.so" To work around this issue, allow the user to explicitly tell what nix packages ssh-agent should whitelist through the NixOS module system. Example usage: environment.systemPackages = [ pkgs.opensc pkgs.yubico-piv-tool ]; programs.ssh.agentPkcs11Whitelist = [ pkgs.opensc pkgs.yubico-piv-tool ]; Add pkcs11 provider to ssh-agent $ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so Add pkcs11 provider to ssh-agent $ ssh-add -s /run/current-system/sw/lib/libykcs11.so Remove pkc11 provider from ssh-agent $ ssh-add -e /run/current/system/sw/lib/libycks11.so
|
maybe adding a library to this list should add it automatically to ssh through the PKCS11Provider clause in /etc/ssh/ssh_config ? It seems cumbersome to have to add it by hand when it is already specified in /etc/nixos/configuration.nix |
|
I tried that before, but You either set The two components are not tightly integrated. This has been an open bug for 2 years already unfortunately. http://lists.mindrot.org/pipermail/openssh-bugs/2016-October/016961.html |
|
You can actually use |
| @@ -84,6 +84,21 @@ in | |||
| ''; | |||
| }; | |||
|
|
|||
|
|
|||
| agentPkcs11Whitelist = mkOption { | |||
There was a problem hiding this comment.
Could it be named agentPkcs11Modules or are those not really loaded with this options?
There was a problem hiding this comment.
They are not loaded. They're only whitelisted. One always has to manually specify the path when invoking ssh-add -s <path to .so here> unfortunately. See the linked OpenSSH issue.
There was a problem hiding this comment.
Ok. Just read the discussion above.
There was a problem hiding this comment.
It would be nice to add an usage example you have in your description above also in the module description.
There was a problem hiding this comment.
Sounds like a good idea. Just hadn't bothered yet because docbook confuses me :P I'll have to read up on docbook first before figuring out how to format it correctly
|
Are there any updates on this pull request, please? |
|
Oops, looks like I accidentally reimplemented this in #71139; this can be closed (though some of the documentation could maybe be cherry-picked in?) |
|
@philandstuff thanks for pushing this forward regardless. Feel free to cherry-pick the docs |
ssh-agent needs to get an explicit, non-symlinked whitelist of
directories that contains pkcs11 providers (which are shared libraries).
By default this is /lib and /usr/lib, which of course have no effect
in NixOS.
When the user tries to explicitly override this whitelist using
the -P flag of ssh-agent, and set it to
-P /run/current-system/sw/lib/*
this will still not work, as the ssh-add command resolves symlinks
before sending a request to ssh-agent. e.g.
ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so
will result in an
refusing PKCS#11 add of "/nix/store/xxxx=-opensc-xx/lib/opensc-pkcs11.so"
To work around this issue, allow the user to explicitly tell what
nix packages ssh-agent should whitelist through the NixOS module system.
Example usage:
environment.systemPackages = [ pkgs.opensc pkgs.yubico-piv-tool ];
programs.ssh.agentPkcs11Whitelist = [ pkgs.opensc pkgs.yubico-piv-tool ];
Add pkcs11 provider to ssh-agent
$ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so
Add pkcs11 provider to ssh-agent
$ ssh-add -s /run/current-system/sw/lib/libykcs11.so
Remove pkc11 provider from ssh-agent
$ ssh-add -e /run/current/system/sw/lib/libycks11.so
Motivation for this change
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)