[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#55912] [PATCH] home: Add OpenSSH service.

From: Ludovic Courtès
Subject: [bug#55912] [PATCH] home: Add OpenSSH service.
Date: Sat, 11 Jun 2022 18:49:31 +0200

* gnu/home/services/ssh.scm: New file.
* gnu/ (GNU_SYSTEM_MODULES): Add it.
* po/guix/ Add it.
* doc/guix.texi (Secure Shell): New section.
 doc/guix.texi             | 183 +++++++++++++++++++++++++++-
 gnu/home/services/ssh.scm | 250 ++++++++++++++++++++++++++++++++++++++
 gnu/              |   1 +
 po/guix/       |   1 +
 4 files changed, 434 insertions(+), 1 deletion(-)
 create mode 100644 gnu/home/services/ssh.scm


Here’s an OpenSSH Home service, loosely inspired by what Julien had
implemented at:

One thing I wasn’t sure about was how to handle ~/.ssh/known_hosts.
To lower the barrier to entry, I added an option to keep handling it
in a stateful way (with ‘ssh’ updating the file as it sees fit), and
I made that the default.

I toyed with other approaches.  In particular, just like Julien’s
module had <openssh-known-host>, I tried doing that and going further
so one could write:

  (openssh-host-key ssh-rsa "AAAAE2VjZHNhLX…")

and arrange so that (1) the host key algorithm is validated (a typo
would be reported at macro-expansion time), and (2) the string is
base64-decoded, similar to what is done for origins.

But then, while this is perhaps The Right Thing, I though it could be
too inconvenient to use: users would have to convert what ‘ssh’ gives
them into this format.  Sure, that’d give them data validation in
return, but that’s probably too little for too high a cost.

So I sticked to something simpler that allows users to pass files
as-is in ‘known-hosts’ and ‘authorized-keys’ (note that ‘authorized-keys’
in <openssh-configuration> also works that way, so it’s consistent).



diff --git a/doc/guix.texi b/doc/guix.texi
index ea133d519a..831b8fa7c0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -38899,6 +38899,7 @@ services)}.
 * Shells: Shells Home Services.          POSIX shells, Bash, Zsh.
 * Mcron: Mcron Home Service.             Scheduled User's Job Execution.
 * Shepherd: Shepherd Home Service.       Managing User's Daemons.
+* SSH: Secure Shell.                     Setting up the secure shell client.
 * Desktop: Desktop Home Services.        Services for graphical environments.
 @end menu
 @c In addition to that Home Services can provide
@@ -39219,7 +39220,7 @@ GNU@tie{}mcron, a daemon to run jobs at scheduled times 
 mcron, GNU@tie{}mcron}).  The information about system's mcron is
 applicable here (@pxref{Scheduled Job Execution}), the only difference
 for home services is that they have to be declared in a
-@code{home-envirnoment} record instead of an @code{operating-system}
+@code{home-environment} record instead of an @code{operating-system}
 @defvr {Scheme Variable} home-mcron-service-type
@@ -39287,6 +39288,186 @@ mechanism instead (@pxref{Shepherd Services}).
 @end table
 @end deftp
+@node Secure Shell
+@subsection Secure Shell
+@cindex secure shell client, configuration
+@cindex SSH client, configuration
+The @uref{, OpenSSH package} includes a client,
+the @command{ssh} command, that allows you to connect to remote machines
+using the @acronym{SSH, secure shell} protocol.  With the @code{(gnu
+home services ssh)} module, you can set up OpenSSH so that it works in a
+predictable fashion, almost independently of state on the local machine.
+To do that, you instantiate @code{home-openssh-service-type} in your
+Home configuration, as explained below.
+@defvr {Scheme Variable} home-openssh-service-type
+This is the type of the service to set up the OpenSSH client.  It takes
+care of several things:
+adding the @code{openssh} package to your profile so the @command{ssh}
+command is readily available;
+providing a @file{~/.ssh/config} file based on your configuration so
+that @command{ssh} knows about hosts you regularly connect to and their
+associated parameters;
+providing a @file{~/.ssh/authorized_keys}, which lists public keys that
+the local SSH server, @command{sshd}, may accept to connect to this user
+optionally providing a @file{~/.ssh/known_hosts} file so that @file{ssh}
+can authenticate hosts you connect to.
+@end itemize
+Here is a sample configuration you could add to the @code{services}
+field of your @code{home-environment}:
+ (hosts (list (openssh-host (name "")
+                            (user "charlie"))
+              (openssh-host (name "chbouib")
+                            (host-name "")
+                            (user "supercharlie")
+                            (port 10022))))
+ (authorized-keys (list (local-file ""))))
+@end lisp
+The example above lists two hosts and their parameters.  For instance,
+running @command{ssh chbouib} will automatically connect to
+@code{} on port 10022, logging in as user
+@samp{supercharlie}.  Further, it marks the public key in
+@file{} as authorized for incoming connections.
+The value associated with a @code{home-openssh-service-type} instance
+must be a @code{home-openssh-configuration} record, as describe below.
+@end defvr
+@deftp {Data Type} home-openssh-configuration
+This is the datatype representing the OpenSSH client and server
+configuration in one's home environment.  It contains the following
+@table @asis
+@item @code{openssh} (default: @code{openssh})
+The OpenSSH package to add to the environment's profile.
+@item @code{hosts} (default: @code{'()})
+A list of @code{openssh-host} records specifying host names and
+associated connection parameters (see below).  This host list goes into
+@file{~/.ssh/config}, which @command{ssh} reads at startup.
+@item @code{known-hosts} (default: @code{*unspecified*})
+This must be either:
+@code{*unspecified*}, in which case @code{home-openssh-service-type}
+leaves it up to @command{ssh} and to the user to maintain the list of
+known hosts at @file{~/.ssh/known_hosts}, or
+a list of file-like objects, in which case those are concatenated and
+emitted as @file{~/.ssh/known_hosts}.
+@end itemize
+The @file{~/.ssh/known_hosts} contains a list of host name/host key
+pairs that allow @command{ssh} to authenticate hosts you connect to and
+to detect possible impersonation attacks.  By default, @command{ssh}
+updates it in a @dfn{TOFU, trust-on-first-use} fashion, meaning that it
+records the host's key in that file the first time you connect to it.
+This behavior is preserved when @code{known-hosts} is set to
+If you instead provide a list of host keys upfront in the
+@code{known-hosts} field, your configuration becomes self-contained and
+stateless: it can be replicated elsewhere or at another point in time.
+Preparing this list can be relatively tedious though, which is why
+@code{*unspecified*} is kept as a default.
+@item @code{authorized-keys} (default: @code{'()})
+This must be a list of file-like objects, each of which containing an
+SSH public key that should be authorized to connect to this machine.
+Concretely, these files are concatenated and made available as
+@file{~/.ssh/authorized_keys}.  If an OpenSSH server, @command{sshd}, is
+running on this machine, then it @emph{may} take this file into account:
+this is what @command{sshd} does by default, but be aware that it can
+also be configured to ignore it.
+@end table
+@end deftp
+@c %start of fragment
+@deftp {Data Type} openssh-host
+Available @code{openssh-host} fields are:
+@table @asis
+@item @code{name} (type: string)
+Name of this host declaration.
+@item @code{host-name} (default: @code{disabled}) (type: maybe-string)
+Host name---e.g., @code{""} or @code{""}.
+@item @code{address-family} (type: address-family)
+Address family to use when connecting to this host: one of
+@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or
+@code{*unspecified*} (allowing any address family).
+@item @code{identity-file} (default: @code{disabled}) (type: maybe-string)
+The identity file to use---e.g., @code{"/home/charlie/.ssh/id_ed25519"}.
+@item @code{port} (default: @code{disabled}) (type: maybe-integer)
+TCP port number to connect to.
+@item @code{user} (default: @code{disabled}) (type: maybe-string)
+User name on the remote host.
+@item @code{forward-x11?} (default: @code{#f}) (type: boolean)
+Whether to forward remote client connections to the local X11 graphical
+@item @code{forward-x11-trusted?} (default: @code{#f}) (type: boolean)
+Whether remote X11 clients have full access to the original X11
+graphical display.
+@item @code{forward-agent?} (default: @code{#f}) (type: boolean)
+Whether the authentication agent (if any) is forwarded to the remote
+@item @code{compression?} (default: @code{#f}) (type: boolean)
+Whether to compress data in transit.
+@item @code{proxy-command} (default: @code{disabled}) (type: maybe-string)
+The command to use to connect to the server.  As an example, a command
+to connect via an HTTP proxy at would be: @code{"nc -X connect
+-x %h %p"}.
+@item @code{host-key-algorithms} (default: @code{disabled}) (type: 
+The list of accepted host key algorithms---e.g.,
+@item @code{accepted-key-types} (default: @code{disabled}) (type: 
+The list of accepted user public key types.
+@item @code{extra-content} (default: @code{""}) (type: 
+Extra content appended as-is to this @code{Host} block in
+@end table
+@end deftp
+@c %end of fragment
 @node Desktop Home Services
 @subsection Desktop Home Services
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
new file mode 100644
index 0000000000..162d7df960
--- /dev/null
+++ b/gnu/home/services/ssh.scm
@@ -0,0 +1,250 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2022 Ludovic Courtès <>
+;;; This file is part of GNU Guix.
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; GNU General Public License for more details.
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <>.
+(define-module (gnu home services ssh)
+  #:use-module (guix gexp)
+  #:use-module (guix records)
+  #:use-module (guix diagnostics)
+  #:use-module (guix i18n)
+  #:use-module (gnu services)
+  #:use-module (gnu services configuration)
+  #:use-module (guix modules)
+  #:use-module (gnu home services)
+  #:use-module ((gnu home services utils)
+                #:select (object->camel-case-string))
+  #:autoload   (gnu packages ssh) (openssh)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-34)
+  #:use-module (ice-9 match)
+  #:export (home-openssh-configuration
+            home-openssh-configuration-authorized-keys
+            home-openssh-configuration-known-hosts
+            home-openssh-configuration-hosts
+            openssh-host
+            openssh-host-host-name
+            openssh-host-identity-file
+            openssh-host-name
+            openssh-host-port
+            openssh-host-user
+            openssh-host-forward-x11?
+            openssh-host-forward-x11-trusted?
+            openssh-host-forward-agent?
+            openssh-host-compression?
+            openssh-host-proxy-command
+            openssh-host-host-key-algorithms
+            openssh-host-accepted-key-types
+            openssh-host-extra-content
+            home-openssh-service-type))
+(define (serialize-field-name name)
+  (match name
+    ('accepted-key-types "PubkeyAcceptedKeyTypes")
+    (_
+     (let ((name (let ((str (symbol->string name)))
+                   (if (string-suffix? "?" str)
+                       (string->symbol (string-drop-right str 1))
+                       name))))
+       (object->camel-case-string name 'upper)))))
+(define (serialize-string field value)
+  (string-append "  " (serialize-field-name field)
+                 " " value "\n"))
+(define (address-family? obj)
+  (memv obj (list *unspecified* AF_INET AF_INET6)))
+(define (serialize-address-family field family)
+  (if (unspecified? family)
+      ""
+      (string-append "  " (serialize-field-name field) " "
+                     (cond ((= family AF_INET) "inet")
+                           ((= family AF_INET6) "inet6")
+                           (else
+                            (raise
+                             (formatted-message
+                              (G_ "~s: unsupported address family")
+                              family))))
+                     "\n")))
+(define (serialize-integer field value)
+  (string-append "  " (serialize-field-name field) " "
+                 (number->string value) "\n"))
+(define (serialize-boolean field value)
+  (string-append "  " (serialize-field-name field) " "
+                 (if value "yes" "no") "\n"))
+(define-maybe string)
+(define-maybe integer)
+(define (serialize-raw-configuration-string field value)
+  (string-append value "\n"))
+(define raw-configuration-string? string?)
+(define (string-list? lst)
+  (and (pair? lst) (every string? lst)))
+(define (serialize-string-list field lst)
+  (string-append "  " (serialize-field-name field) " "
+                 (string-join lst ",") "\n"))
+(define-maybe string-list)
+(define-configuration openssh-host
+  (name
+   (string)
+   "Name of this host declaration.")
+  (host-name
+   (maybe-string 'disabled)
+   "Host name---e.g., @code{\"\"} or @code{\"\"}.")
+  (address-family
+   (address-family *unspecified*)
+   "Address family to use when connecting to this host: one of
+@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or
+@code{*unspecified*} (allowing any address family).")
+  (identity-file
+   (maybe-string 'disabled)
+   "The identity file to use---e.g.,
+  (port
+   (maybe-integer 'disabled)
+   "TCP port number to connect to.")
+  (user
+   (maybe-string 'disabled)
+   "User name on the remote host.")
+  (forward-x11?
+   (boolean #f)
+   "Whether to forward remote client connections to the local X11 graphical
+  (forward-x11-trusted?
+   (boolean #f)
+   "Whether remote X11 clients have full access to the original X11 graphical
+  (forward-agent?
+   (boolean #f)
+   "Whether the authentication agent (if any) is forwarded to the remote
+  (compression?
+   (boolean #f)
+   "Whether to compress data in transit.")
+  (proxy-command
+   (maybe-string 'disabled)
+   "The command to use to connect to the server.  As an example, a command
+to connect via an HTTP proxy at would be: @code{\"nc -X
+connect -x %h %p\"}.")
+  (host-key-algorithms
+   (maybe-string-list 'disabled)
+   "The list of accepted host key algorithms---e.g.,
+  (accepted-key-types
+   (maybe-string-list 'disabled)
+   "The list of accepted user public key types.")
+  (extra-content
+   (raw-configuration-string "")
+   "Extra content appended as-is to this @code{Host} block in
+(define (serialize-openssh-host config)
+  (define (openssh-host-name-field? field)
+    (eq? (configuration-field-name field) 'name))
+  (string-append
+   "Host " (openssh-host-name config) "\n"
+   (string-concatenate
+    (map (lambda (field)
+           ((configuration-field-serializer field)
+            (configuration-field-name field)
+            ((configuration-field-getter field) config)))
+         (remove openssh-host-name-field?
+                 openssh-host-fields)))))
+(define-record-type* <home-openssh-configuration>
+  home-openssh-configuration make-home-openssh-configuration
+  home-openssh-configuration?
+  (openssh         home-openssh-configuration-openssh  ;file-like
+                   (default openssh))
+  (authorized-keys home-openssh-configuration-authorized-keys ;list of 
+                   (default '()))
+  (known-hosts     home-openssh-configuration-known-hosts ;unspec | list of 
+                   (default *unspecified*))
+  (hosts           home-openssh-configuration-hosts   ;list of <openssh-host>
+                   (default '())))
+(define (openssh-configuration->string config)
+  (string-join (map serialize-openssh-host
+                    (home-openssh-configuration-hosts config))
+               "\n"))
+(define* (file-join name files #:optional (delimiter " "))
+  "Return a file in the store called @var{name} that is the concatenation
+of all the file-like objects listed in @var{files}, with @var{delimited}
+inserted after each of them."
+  (computed-file name
+                 (with-imported-modules '((guix build utils))
+                   #~(begin
+                       (use-modules (guix build utils))
+                       (call-with-output-file #$output
+                         (lambda (output)
+                           (for-each (lambda (file)
+                                       (call-with-input-file file
+                                         (lambda (input)
+                                           (dump-port input output)))
+                                       (display #$delimiter output))
+                                     '#$files)))))))
+(define (openssh-configuration-files config)
+  (let ((config (plain-file "config" (openssh-configuration->string config)))
+        (known-hosts (home-openssh-configuration-known-hosts config))
+        (authorized-keys (file-join
+                          "authorized_keys"
+                          (home-openssh-configuration-authorized-keys config)
+                          "\n")))
+    `((".ssh/authorized_keys" ,authorized-keys)
+      ,@(if (unspecified? known-hosts)
+            '()
+            `((".ssh/known_hosts"
+               ,(file-join "known_hosts" known-hosts "\n"))))
+      (".ssh/config" ,config))))
+(define openssh-activation
+  (with-imported-modules (source-module-closure
+                          '((gnu build activation)))
+    #~(begin
+        (use-modules (gnu build activation))
+        ;; Make sure ~/.ssh is #o700.
+        (let* ((home (getenv "HOME"))
+               (dot-ssh (string-append home "/.ssh")))
+          (mkdir-p/perms dot-ssh (getpw (getuid)) #o700)))))
+(define home-openssh-service-type
+  (service-type
+   (name 'home-openssh)
+   (extensions
+    (list (service-extension home-files-service-type
+                             openssh-configuration-files)
+          (service-extension home-profile-service-type
+                             (compose
+                              list
+                              home-openssh-configuration-openssh))
+          (service-extension home-activation-service-type
+                             (const openssh-activation))))
+   (description "Configure the OpenSSH @acronym{SSH, secure shell}
+client and add it to the user profile.")
+   (default-value (home-openssh-configuration))))
diff --git a/gnu/ b/gnu/
index d49af0d898..f3b08ffdab 100644
--- a/gnu/
+++ b/gnu/
@@ -85,6 +85,7 @@ GNU_SYSTEM_MODULES =                          \
   %D%/home/services/fontutils.scm              \
   %D%/home/services/shells.scm                 \
   %D%/home/services/shepherd.scm               \
+  %D%/home/services/ssh.scm                    \
   %D%/home/services/mcron.scm                  \
   %D%/home/services/utils.scm                  \
   %D%/home/services/xdg.scm                    \
diff --git a/po/guix/ b/po/guix/
index 6b8bd92bb7..201e5dcc87 100644
--- a/po/guix/
+++ b/po/guix/
@@ -6,6 +6,7 @@ gnu/services.scm

base-commit: 010426e2c34428d69573cdfef88239303edcab2d

reply via email to

[Prev in Thread] Current Thread [Next in Thread]