nixos/modules/system/boot/initrd-ssh.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.boot.initrd.network.ssh;

in

{

  options.boot.initrd.network.ssh = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Start SSH service during initrd boot. It can be used to debug failing
        boot on a remote server, enter pasphrase for an encrypted partition etc.
        Service is killed when stage-1 boot is finished.

        The sshd configuration is largely inherited from
        <option>services.openssh</option>.
      '';
    };

    port = mkOption {
      type = types.int;
      default = 22;
      description = ''
        Port on which SSH initrd service should listen.
      '';
    };

    shell = mkOption {
      type = types.str;
      default = "/bin/ash";
      description = ''
        Login shell of the remote user. Can be used to limit actions user can do.
      '';
    };

    hostKeys = mkOption {
      type = types.listOf (types.either types.str types.path);
      default = [];
      example = [
        "/etc/secrets/initrd/ssh_host_rsa_key"
        "/etc/secrets/initrd/ssh_host_ed25519_key"
      ];
      description = ''
        Specify SSH host keys to import into the initrd.

        To generate keys, use
        <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>:

        <screen>
        <prompt># </prompt>ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
        <prompt># </prompt>ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key
        </screen>

        <warning>
          <para>
            Unless your bootloader supports initrd secrets, these keys
            are stored insecurely in the global Nix store. Do NOT use
            your regular SSH host private keys for this purpose or
            you'll expose them to regular users!
          </para>
          <para>
            Additionally, even if your initrd supports secrets, if
            you're using initrd SSH to unlock an encrypted disk then
            using your regular host keys exposes the private keys on
            your unencrypted boot partition.
          </para>
        </warning>
      '';
    };

    authorizedKeys = mkOption {
      type = types.listOf types.str;
      default = config.users.users.root.openssh.authorizedKeys.keys;
      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
      description = ''
        Authorized keys for the root user on initrd.
      '';
    };

    extraConfig = mkOption {
      type = types.lines;
      default = "";
      description = "Verbatim contents of <filename>sshd_config</filename>.";
    };
  };

  imports =
    map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) ''
      The initrd SSH functionality now uses OpenSSH rather than Dropbear.

      If you want to keep your existing initrd SSH host keys, convert them with
        $ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key
      and then set options.boot.initrd.network.ssh.hostKeys.
    '') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ];

  config = let
    # Nix complains if you include a store hash in initrd path names, so
    # as an awful hack we drop the first character of the hash.
    initrdKeyPath = path: if isString path
      then path
      else let name = builtins.baseNameOf path; in
        builtins.unsafeDiscardStringContext ("/etc/ssh/" +
          substring 1 (stringLength name) name);

    sshdCfg = config.services.openssh;

    sshdConfig = ''
      Port ${toString cfg.port}

      PasswordAuthentication no
      ChallengeResponseAuthentication no

      ${flip concatMapStrings cfg.hostKeys (path: ''
        HostKey ${initrdKeyPath path}
      '')}

      KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms}
      Ciphers ${concatStringsSep "," sshdCfg.ciphers}
      MACs ${concatStringsSep "," sshdCfg.macs}

      LogLevel ${sshdCfg.logLevel}

      ${if sshdCfg.useDns then ''
        UseDNS yes
      '' else ''
        UseDNS no
      ''}

      ${cfg.extraConfig}
    '';
  in mkIf (config.boot.initrd.network.enable && cfg.enable) {
    assertions = [
      {
        assertion = cfg.authorizedKeys != [];
        message = "You should specify at least one authorized key for initrd SSH";
      }

      {
        assertion = cfg.hostKeys != [];
        message = ''
          You must now pre-generate the host keys for initrd SSH.
          See the boot.initrd.network.ssh.hostKeys documentation
          for instructions.
        '';
      }
    ];

    boot.initrd.extraUtilsCommands = ''
      copy_bin_and_libs ${pkgs.openssh}/bin/sshd
      cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
    '';

    boot.initrd.extraUtilsCommandsTest = ''
      # sshd requires a host key to check config, so we pass in the test's
      tmpkey="$(mktemp initrd-ssh-testkey.XXXXXXXXXX)"
      cp "${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}" "$tmpkey"
      # keys from Nix store are world-readable, which sshd doesn't like
      chmod 600 "$tmpkey"
      echo -n ${escapeShellArg sshdConfig} |
        $out/bin/sshd -t -f /dev/stdin \
        -h "$tmpkey"
      rm "$tmpkey"
    '';

    boot.initrd.network.postCommands = ''
      echo '${cfg.shell}' > /etc/shells
      echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
      echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd
      echo 'passwd: files' > /etc/nsswitch.conf

      mkdir -p /var/log /var/empty
      touch /var/log/lastlog

      mkdir -p /etc/ssh
      echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config

      echo "export PATH=$PATH" >> /etc/profile
      echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile

      mkdir -p /root/.ssh
      ${concatStrings (map (key: ''
        echo ${escapeShellArg key} >> /root/.ssh/authorized_keys
      '') cfg.authorizedKeys)}

      ${flip concatMapStrings cfg.hostKeys (path: ''
        # keys from Nix store are world-readable, which sshd doesn't like
        chmod 0600 "${initrdKeyPath path}"
      '')}

      /bin/sshd -e
    '';

    boot.initrd.postMountCommands = ''
      # Stop sshd cleanly before stage 2.
      #
      # If you want to keep it around to debug post-mount SSH issues,
      # run `touch /.keep_sshd` (either from an SSH session or in
      # another initrd hook like preDeviceCommands).
      if ! [ -e /.keep_sshd ]; then
        pkill -x sshd
      fi
    '';

    boot.initrd.secrets = listToAttrs
      (map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);
  };

}