Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openssh: init module #1172

Merged
merged 1 commit into from
Jan 11, 2025
Merged

openssh: init module #1172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/module-list.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@
./services/nix-gc
./services/nix-optimise
./services/ofborg
./services/openssh.nix
./services/postgresql
./services/privoxy
./services/redis
Expand Down
33 changes: 33 additions & 0 deletions modules/services/openssh.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{ config, lib, ... }:

let
cfg = config.services.openssh;
in
{
options = {
services.openssh.enable = lib.mkOption {
type = lib.types.nullOr lib.types.bool;
default = null;
description = ''
Whether to enable Apple's built-in OpenSSH server.
The default is null which means let macOS manage the OpenSSH server.
'';
};
};

config = {
# We don't use `systemsetup -setremotelogin` as it requires Full Disk Access
system.activationScripts.launchd.text = lib.mkIf (cfg.enable != null) (if cfg.enable then ''
if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "Off" ]]; then
launchctl enable system/com.openssh.sshd
launchctl bootstrap system /System/Library/LaunchDaemons/ssh.plist
fi
'' else ''
if [[ "$(systemsetup -getremotelogin | sed 's/Remote Login: //')" == "On" ]]; then
launchctl bootout system/com.openssh.sshd
launchctl disable system/com.openssh.sshd
fi
'');
};
Comment on lines +20 to +32
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic for when cfg.enable is false worries me a little, because it seems like you might think your SSH server is off and you’re totally protected, but there’s actually a race condition between boot and the activation scripts running where the server can be accessed?

Do we know if there are any meaningful differences between what this does and what systemsetup -setremotelogin does? It may be better to just require FDA for this module, as it would certainly solve the race condition.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Currently we're adding the text to the launchd activation script, which is not one of the activation scripts that runs on boot (etcChecks, etc and keyboard) (Unrelated tangent: we'll probably want users.users.launchd.agents to allow us to do user activation when they log in as it might have interactive prompts)

When you bootout and disable the SSH server, it won't get reenabled on reboot, I've tested this on a VM by manually going into the Sharing menu, enabling Remote Login, doing a darwin-rebuild switch with services.openssh.enable = false;, rebooting and checking that Remote Login is still disabled

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, so it actually toggles the visible preference in System Settings when you do this? That’s good enough for me then. Strange that they have a back door like this, though; I wouldn’t be surprised if we have to move to the proper command in future.

}