Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/sshd: implement support for `Match` groups #56345

Closed
wants to merge 1 commit into from

Conversation

@Ma27
Copy link
Member

Ma27 commented Feb 25, 2019

Motivation for this change

This patch makes it way harder to screw Match groups in an sshd config
up. With a broken SSH, reverting with tools like nixops is way harder,
in some cases impossible.

The diff seems larger than it actually is, mainly because I moved all
options that can be used "globally" and in a Match group into its own
attribute set that will be merged into options.services.openssh and
for the matches submodule.

The Match config will be appended to /etc/ssh/sshd_config using
mkOrder 9999 to ensure that no extraConfig will be appended
afterwards and only applies to the last Match group.

It can be used like this now:

{
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    matches = [
      {
        # the given config only applies to the 10.23.42.0/24 subnet
        match."10.23.42.0/24" = "Address";
        config.permitRootLogin = "yes";
      }
    ];
  };
}

Finally extended the openssh testcase with another machine to demonstrate
the functionality by permitting root logins only from certain IPs.


Some additional notes:

  • I didn't add a changelog entry yet, as I'm not sure if this will land in 19.03
  • I've tested this in a local VM network and added another NixOS test. I'll deploy this to one of my machines in my personal setup later this afternoon just to confirm (EDIT: done)
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Ma27

This comment has been minimized.

Copy link
Member Author

Ma27 commented Feb 25, 2019

@GrahamcOfBorg test openssh

@Ma27

This comment has been minimized.

Copy link
Member Author

Ma27 commented Feb 25, 2019

The test breaks on aarch64 because of a timeout btw.

This patch makes it way harder to screw Match groups in an `sshd` config
up. With a broken SSH, reverting with tools like `nixops` is way harder,
in some cases impossible.

The diff seems larger than it actually is, mainly because I moved all
options that can be used "globally" and in a `Match` group into its own
attribute set that will be merged into `options.services.openssh` and
for the `matches` submodule.

The `Match` config will be appended to `/etc/ssh/sshd_config` using
`mkOrder 9999` to ensure that no `extraConfig` will be appended
afterwards and only applies to the last Match group.

It can be used like this now:

``` nix
{
  services.openssh = {
    enable = true;
    permitRootLogin = "no";
    matches = [
      {
        # the given config only applies to the 10.23.42.0/24 subnet
        match."10.23.42.0/24" = "Address";
        config.permitRootLogin = "yes";
      }
    ];
  };
}
```

Finally extended the `openssh` testcase with another machine to demonstrate
the functionality by permitting root logins only from certain IPs.
@Ma27 Ma27 force-pushed the Ma27:implement-match-sections-for-sshd branch from d3793d9 to 7b1261c Feb 25, 2019
@Ma27

This comment has been minimized.

Copy link
Member Author

Ma27 commented Feb 25, 2019

@GrahamcOfBorg test openssh

};

config = mkOption {
type = types.submodule ({ options = generalOptions; });

This comment has been minimized.

Copy link
@Ma27

Ma27 Feb 25, 2019

Author Member

We probably want to merge the values here with the configs from services.openssh. So if somebody sets services.openssh.permitRootLogin to no, each Match group should also have permitRootLogin set to no.

But I'll wait for some reviews from other folks, before spending more time on this :)

@Ma27

This comment has been minimized.

Copy link
Member Author

Ma27 commented Mar 23, 2019

Closing for now, mainly because of NixOS/rfcs#42 (also discussed in #nixos-chat some weeks ago).

I'm in favor of that approach and this adds even more complexity to the module system and hence makes the situation even worse. The main goal (making it harder to screw up ssh configs) can be achieved using sshd's config validation. I'll look how we can do this for our sshd_config and file a patch soon :)

@Ma27 Ma27 closed this Mar 23, 2019
@Ma27 Ma27 deleted the Ma27:implement-match-sections-for-sshd branch Mar 23, 2019
Ma27 added a commit to Ma27/nixpkgs that referenced this pull request Apr 1, 2019
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).

When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.

This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.

The original attempt was done in NixOS#56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
@Ma27 Ma27 mentioned this pull request Apr 1, 2019
5 of 10 tasks complete
Ma27 added a commit to Ma27/nixpkgs that referenced this pull request May 24, 2019
With `sshd -t` config validation for SSH is possible. Until now, the
config generated by Nix was applied without any validation (which is
especially a problem for advanced config like `Match` blocks).

When deploying broken ssh config with nixops to a remote machine it gets
even harder to fix the problem due to the broken ssh that makes reverts
with nixops impossible.

This change performs the validation in a Nix build environment by
creating a store path with the config and generating a mocked host key
which seems to be needed for the validation. With a broken config, the
deployment already fails during the build of the derivation.

The original attempt was done in NixOS#56345 by adding a submodule for Match
groups to make it harder screwing that up, however that made the module
far more complex and config should be described in an easier way as
described in NixOS/rfcs#42.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.