Additional ssh configuration options.

  • Done
  • quality assurance status badge
Details
4 participants
  • Josselin Poiret
  • Ludovic Courtès
  • Bruno Victal
  • Nicolas Graves
Owner
unassigned
Submitted by
Nicolas Graves
Severity
normal
N
N
Nicolas Graves wrote on 26 Mar 2023 15:58
Additional ssh configuration options.
(address . guix-patches@gnu.org)
87bkkfaa2x.fsf@ngraves.fr
I'm using RDE and wanted to completely migrate RDE's ssh configuration
to Guix, now that the ssh-agent is configured.

It's not that simple, since RDE was using loosely defined alists, so I'm
only contributing options I actually use, in the next patches.

--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 26 Mar 2023 16:07
[PATCH 1/3] gnu: home-openssh-configuration: Add field add-keys-to-agent.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230326140706.32412-1-ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 44 +++++++++++++++++++++++++++++++--------
1 file changed, 35 insertions(+), 9 deletions(-)

Toggle diff (73 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..4ab2adb292 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2023 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -39,6 +40,7 @@ (define-module (gnu home services ssh)
home-openssh-configuration-authorized-keys
home-openssh-configuration-known-hosts
home-openssh-configuration-hosts
+ home-openssh-configuration-add-keys-to-agent
home-ssh-agent-configuration
openssh-host
@@ -185,17 +187,41 @@ (define (openssh-host-name-field? field)
(define-record-type* <home-openssh-configuration>
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
- (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
- (default '()))
- (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
- (default *unspecified*))
- (hosts home-openssh-configuration-hosts ;list of <openssh-host>
- (default '())))
+ (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
+ (default '()))
+ (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
+ (default *unspecified*))
+ (hosts home-openssh-configuration-hosts ;list of <openssh-host>
+ (default '()))
+ (add-keys-to-agent home-openssh-configuration-add-keys-to-agent ;string with limited values
+ (default "no")))
+
+(define (serialize-add-keys-to-agent value)
+ (define (is-valid-time-string? str)
+ (and (> (string-length str) 0)
+ (eq?
+ (cdr (vector-ref
+ (string-match "\
+[0-9]+|([0-9]+[Ww])?([0-9]+[Dd])?([0-9]+[Hh])?([0-9]+[Mm])?([0-9]+[Ss])?" str)
+ 1))
+ (string-length str))))
+
+ (string-append "AddKeysToAgent "
+ (cond ((member value '("yes" "no" "confirm" "ask")) value)
+ ((is-valid-time-string? value) value)
+ ((and (string-prefix? "confirm" value)
+ (is-valid-time-string?
+ (cdr (string-split value #\ )))) value)
+ ;; The 'else' branch is unreachable.
+ (else (raise (condition (&error)))))))
(define (openssh-configuration->string config)
- (string-join (map serialize-openssh-host
- (home-openssh-configuration-hosts config))
- "\n"))
+ (string-join
+ (cons* (serialize-add-keys-to-agent
+ (home-openssh-configuration-add-keys-to-agent config))
+ (map serialize-openssh-host
+ (home-openssh-configuration-hosts config)))
+ "\n"))
(define* (file-join name files #:optional (delimiter " "))
"Return a file in the store called @var{name} that is the concatenation
--
2.39.2
N
N
Nicolas Graves wrote on 26 Mar 2023 16:07
[PATCH 2/3] gnu: openssh-host: Add option match-criteria.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230326140706.32412-2-ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 49 ++++++++++++++++++++++++++++++++++-----
1 file changed, 43 insertions(+), 6 deletions(-)

Toggle diff (88 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 4ab2adb292..0bd79e4322 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -45,6 +45,7 @@ (define-module (gnu home services ssh)
openssh-host
openssh-host-host-name
+ openssh-host-match-criteria
openssh-host-identity-file
openssh-host-name
openssh-host-port
@@ -116,13 +117,39 @@ (define (serialize-string-list field lst)
(define-maybe string-list)
+(define ssh-match-keywords
+ '("canonical" "final" "exec" "host" "originalhost" "user" "localuser"))
+
+(define (match-criteria? str)
+ ;; Rule out the case of "all" keyword.
+ (if (member str '("all"
+ "canonical all"
+ "final all"))
+ #t
+ (let* ((first (string-take str (string-index str #\ )))
+ (keyword (if (string-prefix? "!" first)
+ (string-drop first 1)
+ first)))
+ (member keyword ssh-match-keywords))))
+
+(define-maybe match-criteria)
+
(define-configuration openssh-host
(name
- (string)
- "Name of this host declaration.")
+ maybe-string
+ "Name of this host declaration. A @code{openssh-host} must define only
+@code{name} or @code{match-criteria}. Use host-name \"*\" for top-level
+options.")
(host-name
maybe-string
"Host name---e.g., @code{\"foo.example.org\"} or @code{\"192.168.1.2\"}.")
+ (match-criteria ;TODO implement stricter match-criteria rules
+ maybe-match-criteria
+ "A string where the first element is all or one of
+@code{ssh-match-keywords}. The rest of the elements are arguments for the
+keyword, or other criteria. A @code{openssh-host} must define only
+@code{name} or @code{match-criteria}. Other host configuration options will
+apply to all hosts matching @code{match-criteria}.")
(address-family
maybe-address-family
"Address family to use when connecting to this host: one of
@@ -171,17 +198,27 @@ (define-configuration openssh-host
@file{~/.ssh/config}."))
(define (serialize-openssh-host config)
- (define (openssh-host-name-field? field)
- (eq? (configuration-field-name field) 'name))
+ (define (openssh-host-name-or-match-field? field)
+ (or (eq? (configuration-field-name field) 'name)
+ (eq? (configuration-field-name field) 'match-criteria)))
(string-append
- "Host " (openssh-host-name config) "\n"
+ (if (maybe-value-set? (openssh-host-name config))
+ (if (maybe-value-set? (openssh-host-match-criteria config))
+ (error
+ "You must either define name or match-criteria, not both.")
+ (string-append "Host " (openssh-host-name config) "\n"))
+ (if (maybe-value-set? (openssh-host-match-criteria config))
+ (string-append
+ "Match " (string-join (openssh-host-match-criteria config) " ") "\n")
+ (error
+ "You must either define name or match-criteria once.")))
(string-concatenate
(map (lambda (field)
((configuration-field-serializer field)
(configuration-field-name field)
((configuration-field-getter field) config)))
- (remove openssh-host-name-field?
+ (remove openssh-host-name-or-match-field?
openssh-host-fields)))))
(define-record-type* <home-openssh-configuration>
--
2.39.2
N
N
Nicolas Graves wrote on 26 Mar 2023 16:07
[PATCH 3/3] gnu: ssh: Export configuration predicates.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230326140706.32412-3-ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (16 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 0bd79e4322..a0cff86d61 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -41,7 +41,9 @@ (define-module (gnu home services ssh)
home-openssh-configuration-known-hosts
home-openssh-configuration-hosts
home-openssh-configuration-add-keys-to-agent
+ home-openssh-configuration?
home-ssh-agent-configuration
+ home-ssh-agent-configuration?
openssh-host
openssh-host-host-name
--
2.39.2
B
B
Bruno Victal wrote on 31 Mar 2023 01:00
control-msg
(name . control)(address . control@debbugs.gnu.org)
74912071-f536-c8bc-4711-db295b4da0e6@makinata.eu
# done with 5c131aff691fa1cb0fafe71b5f2795902ae056a7
close 55819

# control fail?
close 45449

# no longer relevant
close 33078

# tags
tags 62551 patch
tags 62503 patch
tags 62461 patch
tags 62443 patch
tags 62428 patch
tags 61226 patch
tags 59893 patch
tags 59852 patch
tags 49451 patch
tags 49207 patch
tags 44258 patch


quit
L
L
Ludovic Courtès wrote on 1 Apr 2023 09:45
Re: bug#62461: Additional ssh configuration options.
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 62461@debbugs.gnu.org)
87mt3sgi5l.fsf_-_@gnu.org
Hi Nicolas,

Nice work!

Nicolas Graves <ngraves@ngraves.fr> skribis:

Toggle quote (4 lines)
> ---
> gnu/home/services/ssh.scm | 44 +++++++++++++++++++++++++++++++--------
> 1 file changed, 35 insertions(+), 9 deletions(-)

Bonus point if you add a ChangeLog-style commit log. :-)

Toggle quote (10 lines)
> +(define (serialize-add-keys-to-agent value)
> + (define (is-valid-time-string? str)
> + (and (> (string-length str) 0)
> + (eq?
> + (cdr (vector-ref
> + (string-match "\
> +[0-9]+|([0-9]+[Ww])?([0-9]+[Dd])?([0-9]+[Hh])?([0-9]+[Mm])?([0-9]+[Ss])?" str)
> + 1))
> + (string-length str))))

In general please use ‘match’ instead of car/cdr/cadddr (info "(guix)
Data Types and Pattern Matching").

That said, the result of ‘string-match’ is meant to be accessed with
‘match:substring’, not with ‘vector-ref’ (info "(guile) Match
Structures").

Nitpick: you can remove ‘is-’ from the name.

Toggle quote (9 lines)
> + (string-append "AddKeysToAgent "
> + (cond ((member value '("yes" "no" "confirm" "ask")) value)
> + ((is-valid-time-string? value) value)
> + ((and (string-prefix? "confirm" value)
> + (is-valid-time-string?
> + (cdr (string-split value #\ )))) value)
> + ;; The 'else' branch is unreachable.
> + (else (raise (condition (&error)))))))

I guess the ‘else’ branch is reachable if one uses the wrong value?
Should it instead be:

(raise (formatted-message (G_ "~s: invalid 'add-keys-to-agent' value")
value))

?

Ludo’.
L
L
Ludovic Courtès wrote on 1 Apr 2023 09:59
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 62461@debbugs.gnu.org)
87fs9kghia.fsf_-_@gnu.org
Nicolas Graves <ngraves@ngraves.fr> skribis:

Toggle quote (4 lines)
> ---
> gnu/home/services/ssh.scm | 49 ++++++++++++++++++++++++++++++++++-----
> 1 file changed, 43 insertions(+), 6 deletions(-)

[...]

Toggle quote (3 lines)
> +(define ssh-match-keywords
> + '("canonical" "final" "exec" "host" "originalhost" "user" "localuser"))

Should it be symbols?

Toggle quote (9 lines)
> (define-configuration openssh-host
> (name
> - (string)
> - "Name of this host declaration.")
> + maybe-string
> + "Name of this host declaration. A @code{openssh-host} must define only
> +@code{name} or @code{match-criteria}. Use host-name \"*\" for top-level
> +options.")

“Use host name @code{\"*\"} for …”

Toggle quote (5 lines)
> + (match-criteria ;TODO implement stricter match-criteria rules
> + maybe-match-criteria
> + "A string where the first element is all or one of
> +@code{ssh-match-keywords}. The rest of the elements are arguments for the

How about: “When specified, this string denotes the set of hosts to
which the entry applies, superseding the @code{host-name} field. Its
first element must be all or one of…”

Toggle quote (13 lines)
> (string-append
> - "Host " (openssh-host-name config) "\n"
> + (if (maybe-value-set? (openssh-host-name config))
> + (if (maybe-value-set? (openssh-host-match-criteria config))
> + (error
> + "You must either define name or match-criteria, not both.")
> + (string-append "Host " (openssh-host-name config) "\n"))
> + (if (maybe-value-set? (openssh-host-match-criteria config))
> + (string-append
> + "Match " (string-join (openssh-host-match-criteria config) " ") "\n")
> + (error
> + "You must either define name or match-criteria once.")))

Please report errors as lowercase messages with:

(raise (formatted-message (G_ "…") …))

You can also use ‘&fix-hint’ to provide an additional hint, if needed.

Ludo’.
L
L
Ludovic Courtès wrote on 1 Apr 2023 10:00
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 62461@debbugs.gnu.org)
87bkk8ghh1.fsf_-_@gnu.org
Nicolas Graves <ngraves@ngraves.fr> skribis:

Toggle quote (4 lines)
> ---
> gnu/home/services/ssh.scm | 2 ++
> 1 file changed, 2 insertions(+)

LGTM!

BTW, for each of the first two patches, could you update ‘doc/guix.texi’
accordingly?

Thanks in advance!

Ludo’.
N
N
Nicolas Graves wrote on 17 Apr 2023 17:08
Re: [bug#62461] Additional ssh configuration options.
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 62461@debbugs.gnu.org)
871qkiv95i.fsf@ngraves.fr
On 2023-04-01 09:59, Ludovic Courtès wrote:

Toggle quote (5 lines)
>> +(define ssh-match-keywords
>> + '("canonical" "final" "exec" "host" "originalhost" "user" "localuser"))
>
> Should it be symbols?

Could be. But we would then need a conversion from string to symbol
because the original match string which is split can include
spaces. Will switch if it doesn't introduce more complexity.

Thanks for your other remarks, I'll take them into account and send a
new version.

--
Best regards,
Nicolas Graves
N
N
Nicolas Graves wrote on 20 Apr 2023 10:30
[PATCH v2 1/4] gnu: home-openssh-configuration: Add field add-keys-to-agent.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230420083010.12285-1-ngraves@ngraves.fr
---
doc/guix.texi | 14 +++++++++++++
gnu/home/services/ssh.scm | 44 +++++++++++++++++++++++++++++++--------
2 files changed, 49 insertions(+), 9 deletions(-)

Toggle diff (98 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5973ea86cc..daefe63074 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42601,6 +42601,20 @@ Concretely, these files are concatenated and made available as
running on this machine, then it @emph{may} take this file into account:
this is what @command{sshd} does by default, but be aware that it can
also be configured to ignore it.
+
+@item @code{add-keys-to-agent} (default: @code{``no''})
+This string specifies whether keys should be automatically added to a
+running ssh-agent. If this option is set to @code{``yes''} and a key is
+loaded from a file, the key and its passphrase are added to the agent
+with the default lifetime, as if by @code{ssh-add}. If this option is
+set to @code{``ask''}, @code{ssh} will require confirmation. If this
+option is set to @code{``confirm''}, each use of the key must be
+confirmed. If this option is set to @code{``no''}, no keys are added to
+the agent. Alternately, this option may be specified as a time interval
+to specify the key's lifetime in @code{ssh-agent}, after which it will
+automatically be removed. The argument must be @code{``no''},
+@code{``yes''}, @code{``confirm''} (optionally followed by a time
+interval), @code{``ask''} or a time interval.
@end table
@end deftp
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..4ab2adb292 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2023 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -39,6 +40,7 @@ (define-module (gnu home services ssh)
home-openssh-configuration-authorized-keys
home-openssh-configuration-known-hosts
home-openssh-configuration-hosts
+ home-openssh-configuration-add-keys-to-agent
home-ssh-agent-configuration
openssh-host
@@ -185,17 +187,41 @@ (define (openssh-host-name-field? field)
(define-record-type* <home-openssh-configuration>
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
- (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
- (default '()))
- (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
- (default *unspecified*))
- (hosts home-openssh-configuration-hosts ;list of <openssh-host>
- (default '())))
+ (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
+ (default '()))
+ (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
+ (default *unspecified*))
+ (hosts home-openssh-configuration-hosts ;list of <openssh-host>
+ (default '()))
+ (add-keys-to-agent home-openssh-configuration-add-keys-to-agent ;string with limited values
+ (default "no")))
+
+(define (serialize-add-keys-to-agent value)
+ (define (is-valid-time-string? str)
+ (and (> (string-length str) 0)
+ (eq?
+ (cdr (vector-ref
+ (string-match "\
+[0-9]+|([0-9]+[Ww])?([0-9]+[Dd])?([0-9]+[Hh])?([0-9]+[Mm])?([0-9]+[Ss])?" str)
+ 1))
+ (string-length str))))
+
+ (string-append "AddKeysToAgent "
+ (cond ((member value '("yes" "no" "confirm" "ask")) value)
+ ((is-valid-time-string? value) value)
+ ((and (string-prefix? "confirm" value)
+ (is-valid-time-string?
+ (cdr (string-split value #\ )))) value)
+ ;; The 'else' branch is unreachable.
+ (else (raise (condition (&error)))))))
(define (openssh-configuration->string config)
- (string-join (map serialize-openssh-host
- (home-openssh-configuration-hosts config))
- "\n"))
+ (string-join
+ (cons* (serialize-add-keys-to-agent
+ (home-openssh-configuration-add-keys-to-agent config))
+ (map serialize-openssh-host
+ (home-openssh-configuration-hosts config)))
+ "\n"))
(define* (file-join name files #:optional (delimiter " "))
"Return a file in the store called @var{name} that is the concatenation
--
2.39.2
N
N
Nicolas Graves wrote on 20 Apr 2023 10:30
[PATCH v2 2/4] gnu: openssh-host: Add option match-criteria.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230420083010.12285-2-ngraves@ngraves.fr
---
doc/guix.texi | 12 ++++++++-
gnu/home/services/ssh.scm | 52 ++++++++++++++++++++++++++++++++++-----
2 files changed, 57 insertions(+), 7 deletions(-)

Toggle diff (118 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index daefe63074..6c8302e990 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42625,11 +42625,21 @@ Available @code{openssh-host} fields are:
@table @asis
@item @code{name} (type: string)
-Name of this host declaration.
+Name of this host declaration. A @code{openssh-host} must define only
+@code{name} or @code{match-criteria}. Use host-name @code{\"*\"} for
+top-level options.
@item @code{host-name} (type: maybe-string)
Host name---e.g., @code{"foo.example.org"} or @code{"192.168.1.2"}.
+@item @code{match-criteria} (type: maybe-match-criteria)
+When specified, this string denotes the set of hosts to which the entry
+applies, superseding the @code{host-name} field. Its first element must be
+all or one of @code{ssh-match-keywords}. The rest of the elements are
+arguments for the keyword, or other criteria. A @code{openssh-host} must
+define only @code{name} or @code{match-criteria}. Other host configuration
+options will apply to all hosts matching @code{match-criteria}.
+
@item @code{address-family} (type: address-family)
Address family to use when connecting to this host: one of
@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 4ab2adb292..b0c5a2db71 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -45,6 +45,7 @@ (define-module (gnu home services ssh)
openssh-host
openssh-host-host-name
+ openssh-host-match-criteria
openssh-host-identity-file
openssh-host-name
openssh-host-port
@@ -116,13 +117,40 @@ (define (serialize-string-list field lst)
(define-maybe string-list)
+(define ssh-match-keywords
+ '(canonical final exec host originalhost user localuser))
+
+(define (match-criteria? str)
+ ;; Rule out the case of "all" keyword.
+ (if (member str '("all"
+ "canonical all"
+ "final all"))
+ #t
+ (let* ((first (string-take str (string-index str #\ )))
+ (keyword (string->symbol (if (string-prefix? "!" first)
+ (string-drop first 1)
+ first))))
+ (memq keyword ssh-match-keywords))))
+
+(define-maybe match-criteria)
+
(define-configuration openssh-host
(name
- (string)
- "Name of this host declaration.")
+ maybe-string
+ "Name of this host declaration. A @code{openssh-host} must define only
+@code{name} or @code{match-criteria}. Use host-name @code{\"*\"} for
+top-level options.")
(host-name
maybe-string
"Host name---e.g., @code{\"foo.example.org\"} or @code{\"192.168.1.2\"}.")
+ (match-criteria ;TODO implement stricter match-criteria rules
+ maybe-match-criteria
+ "When specified, this string denotes the set of hosts to which the entry
+applies, superseding the @code{host-name} field. Its first element must be
+all or one of @code{ssh-match-keywords}. The rest of the elements are
+arguments for the keyword, or other criteria. A @code{openssh-host} must
+define only @code{name} or @code{match-criteria}. Other host configuration
+options will apply to all hosts matching @code{match-criteria}.")
(address-family
maybe-address-family
"Address family to use when connecting to this host: one of
@@ -171,17 +199,29 @@ (define-configuration openssh-host
@file{~/.ssh/config}."))
(define (serialize-openssh-host config)
- (define (openssh-host-name-field? field)
- (eq? (configuration-field-name field) 'name))
+ (define (openssh-host-name-or-match-field? field)
+ (or (eq? (configuration-field-name field) 'name)
+ (eq? (configuration-field-name field) 'match-criteria)))
(string-append
- "Host " (openssh-host-name config) "\n"
+ (if (maybe-value-set? (openssh-host-name config))
+ (if (maybe-value-set? (openssh-host-match-criteria config))
+ (raise
+ (formatted-message
+ (G_ "You must either define name or match-criteria, not both.")))
+ (string-append "Host " (openssh-host-name config) "\n"))
+ (if (maybe-value-set? (openssh-host-match-criteria config))
+ (string-append
+ "Match " (string-join (openssh-host-match-criteria config) " ") "\n")
+ (raise
+ (formatted-message
+ (G_ "You must either define name or match-criteria once.")))))
(string-concatenate
(map (lambda (field)
((configuration-field-serializer field)
(configuration-field-name field)
((configuration-field-getter field) config)))
- (remove openssh-host-name-field?
+ (remove openssh-host-name-or-match-field?
openssh-host-fields)))))
(define-record-type* <home-openssh-configuration>
--
2.39.2
N
N
Nicolas Graves wrote on 20 Apr 2023 10:30
[PATCH v2 3/4] gnu: ssh: Export configuration predicates.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230420083010.12285-3-ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (16 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index b0c5a2db71..c92b0dda4f 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -41,7 +41,9 @@ (define-module (gnu home services ssh)
home-openssh-configuration-known-hosts
home-openssh-configuration-hosts
home-openssh-configuration-add-keys-to-agent
+ home-openssh-configuration?
home-ssh-agent-configuration
+ home-ssh-agent-configuration?
openssh-host
openssh-host-host-name
--
2.39.2
N
N
Nicolas Graves wrote on 20 Apr 2023 10:30
[PATCH v2 4/4] gnu: ssh: Export home-ssh-agent variables.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
20230420083010.12285-4-ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (18 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index c92b0dda4f..d2142cfb0a 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -42,7 +42,11 @@ (define-module (gnu home services ssh)
home-openssh-configuration-hosts
home-openssh-configuration-add-keys-to-agent
home-openssh-configuration?
+
home-ssh-agent-configuration
+ home-ssh-agent-openssh
+ home-ssh-agent-socket-directory
+ home-ssh-agent-extra-options
home-ssh-agent-configuration?
openssh-host
--
2.39.2
L
L
Ludovic Courtès wrote on 14 May 2023 23:11
Re: bug#62461: Additional ssh configuration options.
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 62461@debbugs.gnu.org)
874joewrdh.fsf_-_@gnu.org
Hi Nicolas,

Apologies for the late reply.

It seems some of the suggestions I made didn’t make it into v2, namely:


Could you take a look?

I’m sorry that it too so long; please feel free to ping me on IRC once
you’ve sent a new version.

Thanks,
Ludo’.
N
N
Nicolas Graves wrote on 5 Jun 2023 14:34
[PATCH v3 2/4] gnu: openssh-host: Add option match-criteria.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
ecf20672533fb7f16c56f7555587a3f4e848e8e3.1685968477.git.ngraves@ngraves.fr
---
doc/guix.texi | 12 +++++++-
gnu/home/services/ssh.scm | 58 ++++++++++++++++++++++++++++++++++-----
2 files changed, 62 insertions(+), 8 deletions(-)

Toggle diff (131 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index d5f81f6fcd..a3d5f8446d 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43126,11 +43126,21 @@ Secure Shell
@table @asis
@item @code{name} (type: string)
-Name of this host declaration.
+Name of this host declaration. A @code{openssh-host} must define only
+@code{name} or @code{match-criteria}. Use host-name @code{\"*\"} for
+top-level options.
@item @code{host-name} (type: maybe-string)
Host name---e.g., @code{"foo.example.org"} or @code{"192.168.1.2"}.
+@item @code{match-criteria} (type: maybe-match-criteria)
+When specified, this string denotes the set of hosts to which the entry
+applies, superseding the @code{host-name} field. Its first element must be
+all or one of @code{ssh-match-keywords}. The rest of the elements are
+arguments for the keyword, or other criteria. A @code{openssh-host} must
+define only @code{name} or @code{match-criteria}. Other host configuration
+options will apply to all hosts matching @code{match-criteria}.
+
@item @code{address-family} (type: maybe-address-family)
Address family to use when connecting to this host: one of
@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only).
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 2de78eb1c4..017bbbc2dd 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -48,6 +48,7 @@ (define-module (gnu home services ssh)
openssh-host
openssh-host-host-name
+ openssh-host-match-criteria
openssh-host-identity-file
openssh-host-name
openssh-host-port
@@ -95,7 +96,11 @@ (define (serialize-address-family field family)
(cond ((= family AF_INET) "inet")
((= family AF_INET6) "inet6")
;; The 'else' branch is unreachable.
- (else (raise (condition (&error)))))
+ (else
+ (raise
+ (formatted-message
+ (G_ "~s: invalid 'address-family' value")
+ value))))
"\n")
""))
@@ -173,13 +178,40 @@ (define (sanitize-proxy-command properties)
(configuration-field-error (source-properties->location properties) 'proxy-command value))
value))
+(define ssh-match-keywords
+ '(canonical final exec host originalhost user localuser))
+
+(define (match-criteria? str)
+ ;; Rule out the case of "all" keyword.
+ (if (member str '("all"
+ "canonical all"
+ "final all"))
+ #t
+ (let* ((first (string-take str (string-index str #\ )))
+ (keyword (string->symbol (if (string-prefix? "!" first)
+ (string-drop first 1)
+ first))))
+ (memq keyword ssh-match-keywords))))
+
+(define-maybe match-criteria)
+
(define-configuration openssh-host
(name
- (string)
- "Name of this host declaration.")
+ maybe-string
+ "Name of this host declaration. A @code{openssh-host} must define only
+@code{name} or @code{match-criteria}. Use host-name @code{\"*\"} for
+top-level options.")
(host-name
maybe-string
"Host name---e.g., @code{\"foo.example.org\"} or @code{\"192.168.1.2\"}.")
+ (match-criteria ;TODO implement stricter match-criteria rules
+ maybe-match-criteria
+ "When specified, this string denotes the set of hosts to which the entry
+applies, superseding the @code{host-name} field. Its first element must be
+all or one of @code{ssh-match-keywords}. The rest of the elements are
+arguments for the keyword, or other criteria. A @code{openssh-host} must
+define only @code{name} or @code{match-criteria}. Other host configuration
+options will apply to all hosts matching @code{match-criteria}.")
(address-family
maybe-address-family
"Address family to use when connecting to this host: one of
@@ -234,17 +266,29 @@ (define-configuration openssh-host
@file{~/.ssh/config}."))
(define (serialize-openssh-host config)
- (define (openssh-host-name-field? field)
- (eq? (configuration-field-name field) 'name))
+ (define (openssh-host-name-or-match-field? field)
+ (or (eq? (configuration-field-name field) 'name)
+ (eq? (configuration-field-name field) 'match-criteria)))
(string-append
- "Host " (openssh-host-name config) "\n"
+ (if (maybe-value-set? (openssh-host-name config))
+ (if (maybe-value-set? (openssh-host-match-criteria config))
+ (raise
+ (formatted-message
+ (G_ "You must either define name or match-criteria, not both.")))
+ (string-append "Host " (openssh-host-name config) "\n"))
+ (if (maybe-value-set? (openssh-host-match-criteria config))
+ (string-append
+ "Match " (string-join (openssh-host-match-criteria config) " ") "\n")
+ (raise
+ (formatted-message
+ (G_ "You must either define name or match-criteria once.")))))
(string-concatenate
(map (lambda (field)
((configuration-field-serializer field)
(configuration-field-name field)
((configuration-field-getter field) config)))
- (remove openssh-host-name-field?
+ (remove openssh-host-name-or-match-field?
openssh-host-fields)))))
(define-record-type* <home-openssh-configuration>
--
2.40.1
N
N
Nicolas Graves wrote on 5 Jun 2023 14:34
[PATCH v3 1/4] gnu: home-openssh-configuration: Add field add-keys-to-agent.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
6e0836e1ad23b625b912f2aa0893c2c0b1f4e37c.1685968477.git.ngraves@ngraves.fr
---
doc/guix.texi | 14 ++++++++++++
gnu/home/services/ssh.scm | 48 +++++++++++++++++++++++++++++++--------
2 files changed, 53 insertions(+), 9 deletions(-)

Toggle diff (134 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index f620d0eb35..d5f81f6fcd 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -43102,6 +43102,20 @@ Secure Shell
running on this machine, then it @emph{may} take this file into account:
this is what @command{sshd} does by default, but be aware that it can
also be configured to ignore it.
+
+@item @code{add-keys-to-agent} (default: @code{``no''})
+This string specifies whether keys should be automatically added to a
+running ssh-agent. If this option is set to @code{``yes''} and a key is
+loaded from a file, the key and its passphrase are added to the agent
+with the default lifetime, as if by @code{ssh-add}. If this option is
+set to @code{``ask''}, @code{ssh} will require confirmation. If this
+option is set to @code{``confirm''}, each use of the key must be
+confirmed. If this option is set to @code{``no''}, no keys are added to
+the agent. Alternately, this option may be specified as a time interval
+to specify the key's lifetime in @code{ssh-agent}, after which it will
+automatically be removed. The argument must be @code{``no''},
+@code{``yes''}, @code{``confirm''} (optionally followed by a time
+interval), @code{``ask''} or a time interval.
@end table
@end deftp
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 628dc743ae..2de78eb1c4 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -1,6 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2022 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2023 Janneke Nieuwenhuizen <janneke@gnu.org>
+;;; Copyright © 2023 Nicolas Graves <ngraves@ngraves.fr>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -42,6 +43,7 @@ (define-module (gnu home services ssh)
home-openssh-configuration-authorized-keys
home-openssh-configuration-known-hosts
home-openssh-configuration-hosts
+ home-openssh-configuration-add-keys-to-agent
home-ssh-agent-configuration
openssh-host
@@ -248,17 +250,45 @@ (define (serialize-openssh-host config)
(define-record-type* <home-openssh-configuration>
home-openssh-configuration make-home-openssh-configuration
home-openssh-configuration?
- (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
- (default #f))
- (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
- (default *unspecified*))
- (hosts home-openssh-configuration-hosts ;list of <openssh-host>
- (default '())))
+ (authorized-keys home-openssh-configuration-authorized-keys ;list of file-like
+ (default #f))
+ (known-hosts home-openssh-configuration-known-hosts ;unspec | list of file-like
+ (default *unspecified*))
+ (hosts home-openssh-configuration-hosts ;list of <openssh-host>
+ (default '()))
+ (add-keys-to-agent home-openssh-configuration-add-keys-to-agent ;string with limited values
+ (default "no")))
+
+(define (serialize-add-keys-to-agent value)
+ (define (valid-time-string? str)
+ (and (> (string-length str) 0)
+ (equal?
+ str
+ (match:substring
+ (string-match "\
+[0-9]+|([0-9]+[Ww])?([0-9]+[Dd])?([0-9]+[Hh])?([0-9]+[Mm])?([0-9]+[Ss])?"
+ str)))))
+
+ (string-append "AddKeysToAgent "
+ (cond ((member value '("yes" "no" "confirm" "ask")) value)
+ ((valid-time-string? value) value)
+ ((and (string-prefix? "confirm" value)
+ (valid-time-string?
+ (cdr (string-split value #\ )))) value)
+ ;; The 'else' branch is unreachable.
+ (else
+ (raise
+ (formatted-message
+ (G_ "~s: invalid 'add-keys-to-agent' value")
+ value))))))
(define (openssh-configuration->string config)
- (string-join (map serialize-openssh-host
- (home-openssh-configuration-hosts config))
- "\n"))
+ (string-join
+ (cons* (serialize-add-keys-to-agent
+ (home-openssh-configuration-add-keys-to-agent config))
+ (map serialize-openssh-host
+ (home-openssh-configuration-hosts config)))
+ "\n"))
(define* (file-join name files #:optional (delimiter " "))
"Return a file in the store called @var{name} that is the concatenation

base-commit: eed55a6544d5bda2245ec853e5fa4b28e1865bea
prerequisite-patch-id: a057b35ab55298bad50caab186b3e692a25230e1
prerequisite-patch-id: fb9054f780e6f97b92f00fdbe56058d1188ccf0a
prerequisite-patch-id: ca2f2591980b80c5cf27846e59e323bdc5a06b00
prerequisite-patch-id: ae5ad13b181ebb3c31d529af50622e3b78641442
prerequisite-patch-id: 34ed6acb0a1e5f79b5f6d18a6d4ef70cd97bf7ad
prerequisite-patch-id: 10d52b209b6e9c771050eef67ce566e79ab55c49
prerequisite-patch-id: e78e2a6daf59564caf5d2affe04ea7dde07f76c6
prerequisite-patch-id: 6aad4df7b83bfd5c2da38d9c2f80fba749f607b5
prerequisite-patch-id: da6a2d63ebb0ba1abb0b7c569d353724d900f95f
prerequisite-patch-id: 6279cff75e76e262f6ec82518db1fdf4c1810303
prerequisite-patch-id: 44453fcf2f2c38212a47d45d43ddcfa98167fabe
prerequisite-patch-id: 641eae2fa3842045ebe6072ad78214002f818221
prerequisite-patch-id: c19de9ee8c57210cbffc79945e69a858639f39bf
prerequisite-patch-id: 9833a747398a641803e203f8293382f55ad24ed1
prerequisite-patch-id: 94d5340918e3626726b6d32d93bf47425751898f
prerequisite-patch-id: e18164416e2c070b0b71f770c90d4c04af2635c1
prerequisite-patch-id: 31e98ea035053a965e87ad0164030cf909922d9e
prerequisite-patch-id: a1cf1f5c4a0ff2804fac986a69ffbc0328300afe
prerequisite-patch-id: 2a54e276f79fb57113a0be11e1ea2c07fdc2727d
prerequisite-patch-id: a463de1ba17ecb39588dfbd46c3bc5f9e0fb1b1c
prerequisite-patch-id: 3188de66dfc4bcb71f90601822428701528f4a98
prerequisite-patch-id: 6c93f771a1eca0747fd92a770fe750e2f15d8e52
prerequisite-patch-id: 12b76e9c2751da73ed64c9489b15f74ff17568cf
prerequisite-patch-id: eb618ab7b10483d917c308a38792af98baa517e2
prerequisite-patch-id: a471a4b7839bfb0ee9a3fd53ed962d729d38bd94
prerequisite-patch-id: 5e58202cc87a257c78033dafa62ffae4383e3718
prerequisite-patch-id: cd7f69695aa47b7e1b1160841fe842a3acd160e7
prerequisite-patch-id: b542cf4087eeee1ee3f7fc03b7c39896417bc7b5
prerequisite-patch-id: 843773f53ca319821185f9f9bc43ad905f081ee7
prerequisite-patch-id: a2dfb2fba1e1a3c8e270823022b6f462d27f17c8
--
2.40.1
N
N
Nicolas Graves wrote on 5 Jun 2023 14:34
[PATCH v3 3/4] gnu: ssh: Export configuration predicates.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
81f8bc18e5c5fd461dbec41308fa3ecf84264b7f.1685968477.git.ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 2 ++
1 file changed, 2 insertions(+)

Toggle diff (16 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 017bbbc2dd..4ff3395e06 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -44,7 +44,9 @@ (define-module (gnu home services ssh)
home-openssh-configuration-known-hosts
home-openssh-configuration-hosts
home-openssh-configuration-add-keys-to-agent
+ home-openssh-configuration?
home-ssh-agent-configuration
+ home-ssh-agent-configuration?
openssh-host
openssh-host-host-name
--
2.40.1
N
N
Nicolas Graves wrote on 5 Jun 2023 14:34
[PATCH v3 4/4] gnu: ssh: Export home-ssh-agent variables.
(address . 62461@debbugs.gnu.org)(address . ngraves@ngraves.fr)
301925a934e8b44f00e6f421dc678c6d4bbe0590.1685968477.git.ngraves@ngraves.fr
---
gnu/home/services/ssh.scm | 4 ++++
1 file changed, 4 insertions(+)

Toggle diff (18 lines)
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 4ff3395e06..3053a88fad 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -45,7 +45,11 @@ (define-module (gnu home services ssh)
home-openssh-configuration-hosts
home-openssh-configuration-add-keys-to-agent
home-openssh-configuration?
+
home-ssh-agent-configuration
+ home-ssh-agent-openssh
+ home-ssh-agent-socket-directory
+ home-ssh-agent-extra-options
home-ssh-agent-configuration?
openssh-host
--
2.40.1
L
L
Ludovic Courtès wrote on 9 Jun 2023 23:43
Re: bug#62461: Additional ssh configuration options.
(name . Nicolas Graves)(address . ngraves@ngraves.fr)(address . 62461-done@debbugs.gnu.org)
87h6rgtip0.fsf_-_@gnu.org
Hi Nicolas,

I have finally installed v3, thanks!

Please note that despite previous round trips this was a time-consuming
task: adding commit logs (they would have guided review), chasing
unbound variables (#:use-module (ice-9 regex) was missing), tweaking
error messages for consistency (lower-case, no period), etc. Please
keep that in mind for the next series. :-)

Thanks again!

Ludo’.
Closed
J
J
Josselin Poiret wrote on 4 Jul 2023 22:17
Re: bug#62461: Additional ssh configuration options.
(address . 62461-done@debbugs.gnu.org)
87o7kr77ow.fsf@jpoiret.xyz
Hi Nicolas and Ludo,

Ludovic Courtès <ludo@gnu.org> writes:

Toggle quote (4 lines)
> Hi Nicolas,
>
> I have finally installed v3, thanks!

I'm noticing that guile is now throwing a warning for the `(define-maybe
match-criteria)` line. I don't know anything about the fancy
configuration framework, but Brian tells me that a quick fix could be to
change define-maybe to define-maybe/no-serialization. Nicolas, can you
have a look? I'd be happy to push the fix.

Best,
--
Josselin Poiret
-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmSkfk8QHGRldkBqcG9p
cmV0Lnh5egAKCRBQXkC5FhcaiqE2C/9FLSiTWLyvb26cnd1oXNCWMpDLP/v+zaG/
ZY1PbAqh8k1P04TZKVBZzeg0aBGW3sxz6pF9AtrjFn57Ur4hL+ZYteRQFLSF/df/
JW7e+aRZmHCiiErRY2yCapphfjeLJ0nbNQfg1G4kEd3MQvyPOXp30+cKMfAfcXTN
ROg3Kn2kCtz6pSPjEfdobXHkRu+EPIie6Ughy3gxzW975yvf2nrimvP1dj/zbPl/
3SJtgLRnQQF3slzbEcuQogeZWcmDVwfF7QCqe+NMU8far0k7JsiJ/o8iIxKefO9n
bBIxYhF0h3XWCVgYjDsTtfgoJkHETpfTjgVypGok7dfyjpMsPep6rx0PfYCa8IXA
Sw5mzmQ+VKnKeVrrF6xUrOfzVin03jQ4gLgrU/dnrbGCkdXKZSuAhiFbvC0qHFPP
em2QlCLcAQHLopmBhQlJJ7Gl32zCpULfj7pu74sUiPsotwJvwBzpa+WUbR4vhEpI
qH3x2TuDTW29f4qFdFZkCuI8Y0vTiI8=
=ONNf
-----END PGP SIGNATURE-----

Closed
N
N
Nicolas Graves wrote on 21 Jul 2023 22:23
Re: [bug#62461] Additional ssh configuration options.
(address . 62461-done@debbugs.gnu.org)
87zg3povy7.fsf@ngraves.fr
On 2023-07-04 22:17, Josselin Poiret via Guix-patches via wrote:

Toggle quote (14 lines)
> Hi Nicolas and Ludo,
>
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hi Nicolas,
>>
>> I have finally installed v3, thanks!
>
> I'm noticing that guile is now throwing a warning for the `(define-maybe
> match-criteria)` line. I don't know anything about the fancy
> configuration framework, but Brian tells me that a quick fix could be to
> change define-maybe to define-maybe/no-serialization. Nicolas, can you
> have a look? I'd be happy to push the fix.

Hi Josselin !

Sorry for the late answer. This is done in the recent patch 64777, which
also fixed the serialization (the ssh match is a string in this version,
not a list).

Toggle quote (3 lines)
>
> Best,

--
Best regards,
Nicolas Graves
Closed
?