Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/ssh: Add pkcs11 support for ssh agent #49755

Closed
wants to merge 1 commit into from
Closed

nixos/ssh: Add pkcs11 support for ssh agent #49755

wants to merge 1 commit into from
+16 −1

Conversation

arianvp
Copy link
Member

@arianvp arianvp commented Nov 4, 2018

ssh-agent needs to get an explicit, non-symlinked whitelist of
directories that contains pkcs11 providers (which are shared libraries).
By default this is /lib and /usr/lib, which of course have no effect
in NixOS.

When the user tries to explicitly override this whitelist using
the -P flag of ssh-agent, and set it to
-P /run/current-system/sw/lib/*
this will still not work, as the ssh-add command resolves symlinks
before sending a request to ssh-agent. e.g.

ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so

will result in an
refusing PKCS#11 add of "/nix/store/xxxx=-opensc-xx/lib/opensc-pkcs11.so"

To work around this issue, allow the user to explicitly tell what
nix packages ssh-agent should whitelist through the NixOS module system.

Example usage:

environment.systemPackages = [ pkgs.opensc pkgs.yubico-piv-tool ];
programs.ssh.agentPkcs11Whitelist = [ pkgs.opensc pkgs.yubico-piv-tool ];

Add pkcs11 provider to ssh-agent
$ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so

Add pkcs11 provider to ssh-agent
$ ssh-add -s /run/current-system/sw/lib/libykcs11.so

Remove pkc11 provider from ssh-agent
$ ssh-add -e /run/current/system/sw/lib/libycks11.so

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

Sorry, something went wrong.

@arianvp
nixos/ssh: Add pkcs11 support for ssh agent
1827202 
ssh-agent needs to get an explicit, non-symlinked whitelist of
directories that contains pkcs11 providers (which are shared libraries).
By default this is /lib and /usr/lib, which of course have no effect
in NixOS.

When the user tries to explicitly override this whitelist using
the -P flag of ssh-agent, and set it to
  -P /run/current-system/sw/lib/*
this will still not work, as the ssh-add command resolves symlinks
before sending a request to ssh-agent. e.g.

ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so

will result in an
  refusing PKCS#11 add of "/nix/store/xxxx=-opensc-xx/lib/opensc-pkcs11.so"

To work around this issue, allow the user to explicitly tell what
nix packages ssh-agent should whitelist through the NixOS module system.

Example usage:

environment.systemPackages = [ pkgs.opensc pkgs.yubico-piv-tool ];
programs.ssh.agentPkcs11Whitelist = [ pkgs.opensc pkgs.yubico-piv-tool ];

Add pkcs11 provider to ssh-agent
$ ssh-add -s /run/current-system/sw/lib/opensc-pkcs11.so

Add pkcs11 provider to ssh-agent
$ ssh-add -s /run/current-system/sw/lib/libykcs11.so

Remove pkc11 provider from ssh-agent
$ ssh-add -e /run/current/system/sw/lib/libycks11.so
@GrahamcOfBorg GrahamcOfBorg added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Nov 4, 2018
@symphorien
Copy link
Member

maybe adding a library to this list should add it automatically to ssh through the PKCS11Provider clause in /etc/ssh/ssh_config ? It seems cumbersome to have to add it by hand when it is already specified in /etc/nixos/configuration.nix
(NB: I don't use this so I may be missing something important)

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Nov 4, 2018
@arianvp
Copy link
Member Author

arianvp commented Nov 4, 2018

I tried that before, but ssh-agent actually ignores any value set in PKCS11Provider, and also ignores the AddKeysToAgent option. simply typing ssh-add without the -s <path> ignores PKCS11Provider setting.

You either set PKCS11Provider and provide the pin every time you type ssh,
or you type ssh-add -s /run/current-system/sw/lib/opensc.so once every session, and ssh finds it automatically.

The two components are not tightly integrated. This has been an open bug for 2 years already unfortunately. http://lists.mindrot.org/pipermail/openssh-bugs/2016-October/016961.html

@arianvp
Copy link
Member Author

arianvp commented Nov 4, 2018

You can actually use PKCS11Provider without ssh-agent and don't even need the -P option for it... but then the PIN won't be cached in ssh-agent. The two options are totally mutually exclusive

Mic92
Mic92 reviewed Nov 14, 2018
View reviewed changes
nixos/modules/programs/ssh.nix
@@ -84,6 +84,21 @@ in
'';
};


agentPkcs11Whitelist = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be named agentPkcs11Modules or are those not really loaded with this options?

Copy link
Member Author

@arianvp arianvp Nov 14, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are not loaded. They're only whitelisted. One always has to manually specify the path when invoking ssh-add -s <path to .so here> unfortunately. See the linked OpenSSH issue.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok. Just read the discussion above.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice to add an usage example you have in your description above also in the module description.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like a good idea. Just hadn't bothered yet because docbook confuses me :P I'll have to read up on docbook first before figuring out how to format it correctly

@mmahut
Copy link
Member

mmahut commented Aug 10, 2019

Are there any updates on this pull request, please?

@philandstuff
Copy link
Contributor

Oops, looks like I accidentally reimplemented this in #71139; this can be closed (though some of the documentation could maybe be cherry-picked in?)

@arianvp
Copy link
Member Author

arianvp commented Jan 13, 2020

@philandstuff thanks for pushing this forward regardless. Feel free to cherry-pick the docs

@arianvp arianvp closed this Jan 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mic92 Mic92

@lheckemann lheckemann

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@arianvp @symphorien @mmahut @philandstuff @Mic92 @lheckemann @GrahamcOfBorg