From ffedee6ed523864dd5f871ffd85e3c2099d579a2 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Fri, 18 Apr 2014 00:45:26 +0200 Subject: Start ssh-agent as a user unit This has some advantages: * You get ssh-agent regardless of how you logged in. Previously it was only started for X11 sessions. * All sessions of a user share the same agent. So if you added a key on tty1, it will also be available on tty2. * Systemd will restart ssh-agent if it dies. * $SSH_AUTH_SOCK now points to the /run/user/ directory, which is more secure than /tmp. For bonus points, we should patch ssh-agent to support socket-based activation... --- nixos/modules/config/gnu.nix | 2 +- nixos/modules/programs/ssh.nix | 33 ++++++++++++++++++++++ nixos/modules/rename.nix | 1 + .../services/x11/display-managers/default.nix | 11 -------- nixos/modules/services/x11/xserver.nix | 17 ++--------- 5 files changed, 38 insertions(+), 26 deletions(-) diff --git a/nixos/modules/config/gnu.nix b/nixos/modules/config/gnu.nix index 092828fed0d..f8c35b440d1 100644 --- a/nixos/modules/config/gnu.nix +++ b/nixos/modules/config/gnu.nix @@ -36,7 +36,7 @@ with lib; # GNU lsh. services.openssh.enable = false; services.lshd.enable = true; - services.xserver.startOpenSSHAgent = false; + programs.ssh.startAgent = false; services.xserver.startGnuPGAgent = true; # TODO: GNU dico. diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 27db667e440..005c77d255c 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -47,7 +47,20 @@ in for help. ''; }; + + startAgent = mkOption { + type = types.bool; + default = true; + description = '' + Whether to start the OpenSSH agent when you log in. The OpenSSH agent + remembers private keys for you so that you don't have to type in + passphrases every time you make an SSH connection. Use + ssh-add to add a key to the agent. + ''; + }; + }; + }; config = { @@ -71,5 +84,25 @@ in target = "ssh/ssh_config"; } ]; + + # FIXME: this should really be socket-activated for über-awesomeness. + systemd.user.services.ssh-agent = + { enable = cfg.startAgent; + description = "SSH Agent"; + wantedBy = [ "default.target" ]; + serviceConfig = + { ExecStart = "${pkgs.openssh}/bin/ssh-agent -a %t/ssh-agent"; + Type = "forking"; + Restart = "on-failure"; + }; + }; + + environment.extraInit = optionalString cfg.startAgent + '' + if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then + export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent" + fi + ''; + }; } diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index aa3cefdcad1..1128b9c0da8 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -103,6 +103,7 @@ in zipModules ([] ++ obsolete [ "services" "sshd" "gatewayPorts" ] [ "services" "openssh" "gatewayPorts" ] ++ obsolete [ "services" "sshd" "permitRootLogin" ] [ "services" "openssh" "permitRootLogin" ] ++ obsolete [ "services" "xserver" "startSSHAgent" ] [ "services" "xserver" "startOpenSSHAgent" ] +++ obsolete [ "services" "xserver" "startOpenSSHAgent" ] [ "programs" "ssh" "startAgent" ] ++ obsolete [ "services" "xserver" "windowManager" "xbmc" ] [ "services" "xserver" "desktopManager" "xbmc" ] # KDE diff --git a/nixos/modules/services/x11/display-managers/default.nix b/nixos/modules/services/x11/display-managers/default.nix index 2deff602982..3bf18bd58c8 100644 --- a/nixos/modules/services/x11/display-managers/default.nix +++ b/nixos/modules/services/x11/display-managers/default.nix @@ -51,17 +51,6 @@ let ''} - ${optionalString cfg.startOpenSSHAgent '' - if test -z "$SSH_AUTH_SOCK"; then - # Restart this script as a child of the SSH agent. (It is - # also possible to start the agent as a child that prints - # the required environment variabled on stdout, but in - # that mode ssh-agent is not terminated when we log out.) - export SSH_ASKPASS=${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass - exec ${pkgs.openssh}/bin/ssh-agent "$0" "$sessionType" - fi - ''} - ${optionalString cfg.startGnuPGAgent '' if test -z "$SSH_AUTH_SOCK"; then # Restart this script as a child of the GnuPG agent. diff --git a/nixos/modules/services/x11/xserver.nix b/nixos/modules/services/x11/xserver.nix index 1f02bfd6ef3..65f93b54499 100644 --- a/nixos/modules/services/x11/xserver.nix +++ b/nixos/modules/services/x11/xserver.nix @@ -201,17 +201,6 @@ in ''; }; - startOpenSSHAgent = mkOption { - type = types.bool; - default = true; - description = '' - Whether to start the OpenSSH agent when you log in. The OpenSSH agent - remembers private keys for you so that you don't have to type in - passphrases every time you make an SSH connection. Use - ssh-add to add a key to the agent. - ''; - }; - startGnuPGAgent = mkOption { type = types.bool; default = false; @@ -400,11 +389,11 @@ in hardware.opengl.videoDrivers = mkIf (cfg.videoDriver != null) [ cfg.videoDriver ]; assertions = - [ { assertion = !(cfg.startOpenSSHAgent && cfg.startGnuPGAgent); + [ { assertion = !(config.programs.ssh.startAgent && cfg.startGnuPGAgent); message = '' - The OpenSSH agent and GnuPG agent cannot be started both. - Choose between `startOpenSSHAgent' and `startGnuPGAgent'. + The OpenSSH agent and GnuPG agent cannot be started both. Please + choose between ‘programs.ssh.startAgent’ and ‘services.xserver.startGnuPGAgent’. ''; } { assertion = config.security.polkit.enable; -- cgit 1.4.1