[PATCH 1/2] home: services: openssh: Add configuration option for jump proxies

Saku Laesvuori wrote 2 years ago

Recipients:(address . guix-patches@gnu.org)(name . Saku Laesvuori)(address . saku@laesvuori.fi)

Message-ID:20230420113024.7999-1-saku@laesvuori.fi

Add a new 'proxy' field to openssh-host to allow ProxyCommand or
ProxyJump, but not both, to be configured. Configuring both would cause
the serialization order to determine which one is used. Deprecate the
'proxy-command' field because the 'proxy' field replaces it.

* gnu/home/services/ssh.scm (proxy-jump->string,
proxy-command-or-jump-list?, serialize-proxy-command-or-jump-list,
sanitize-proxy-command): New procedure.
(proxy-jump, proxy-command): New record type.
(openssh-host)[proxy-command]: Mark field as deprecated because OpenSSH
can't have ProxyCommand and ProxyJump configured at the same time.
* doc/guix.texi (Secure Shell): Update to match the changes to the
service.
---
 doc/guix.texi             | 29 ++++++++++++++---
 gnu/home/services/ssh.scm | 65 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 89 insertions(+), 5 deletions(-)

Toggle diff (148 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..da25bba770 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42618,10 +42618,31 @@ machine.
 @item @code{compression?} (default: @code{#f}) (type: boolean)
 Whether to compress data in transit.
 
-@item @code{proxy-command} (type: maybe-string)
-The command to use to connect to the server.  As an example, a command
-to connect via an HTTP proxy at 192.0.2.0 would be: @code{"nc -X connect
--x 192.0.2.0:8080 %h %p"}.
+@item @code{proxy} (type: maybe-proxy-command-or-jump-list)
+The command to use to connect to the server or a list of SSH hosts to
+jump through before connecting to the server.  The field may be set to either a
+@code{proxy-command} or a list of @code{proxy-jump} records.
+
+As an example, a @code{proxy-command} to connect via an HTTP proxy at 192.0.2.0
+would be constructed with: @code{(proxy-command "nc -X connect -x
+192.0.2.0:8080 %h %p")}.
+
+@deftp {Data Type} proxy-jump
+Available @code{proxy-jump} fields are:
+
+@table @asis
+@item @code{user} (type: maybe-string)
+User name on the remote host.
+
+@item @code{host-name} (type: string)
+Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}.
+
+@item @code{port} (type: maybe-natural-number)
+TCP port number to connect to.
+
+@end table
+
+@end deftp
 
 @item @code{host-key-algorithms} (type: maybe-string-list)
 The list of accepted host key algorithms---e.g.,
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..6aeb6ad5a7 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -20,6 +20,7 @@
 (define-module (gnu home services ssh)
   #:use-module (guix gexp)
   #:use-module (guix records)
+  #:use-module (guix deprecation)
   #:use-module (guix diagnostics)
   #:use-module (guix i18n)
   #:use-module (gnu services)
@@ -32,6 +33,8 @@ (define-module (gnu home services ssh)
   #:autoload   (gnu packages base) (glibc-utf8-locales)
   #:use-module (gnu packages ssh)
   #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-9)
+  #:use-module (srfi srfi-9 gnu)
   #:use-module (srfi srfi-34)
   #:use-module (srfi srfi-35)
   #:use-module (ice-9 match)
@@ -55,6 +58,12 @@ (define-module (gnu home services ssh)
             openssh-host-host-key-algorithms
             openssh-host-accepted-key-types
             openssh-host-extra-content
+            proxy-jump
+            proxy-jump-host-name
+            proxy-jump-port
+            proxy-jump-user
+            proxy-command
+            proxy-command->string
 
             home-openssh-service-type
             home-ssh-agent-service-type))
@@ -114,6 +123,54 @@ (define (serialize-string-list field lst)
 
 (define-maybe string-list)
 
+(define-record-type <proxy-command>
+  (proxy-command command)
+  proxy-command?
+  (command proxy-command->string))
+
+(set-record-type-printer! <proxy-command>
+  (lambda (obj port)
+    (format port "#<proxy-command ~s>" (proxy-command->string obj))))
+
+(define-configuration/no-serialization proxy-jump
+  (user
+   maybe-string
+   "User name on the remote host.")
+  (host-name
+   (string)
+   "Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}.")
+  (port
+   maybe-natural-number
+   "TCP port number to connect to."))
+
+(define (proxy-jump->string proxy-jump)
+  (match-record proxy-jump <proxy-jump>
+    (host-name user port)
+    (string-append
+      (if (maybe-value-set? user) (string-append user "@") "")
+      host-name
+      (if (maybe-value-set? port) (string-append ":" (number->string port)) ""))))
+
+(define (proxy-command-or-jump-list? x)
+  (or (proxy-command? x)
+      (and (list? x)
+           (every proxy-jump? x))))
+
+(define (serialize-proxy-command-or-jump-list field value)
+  (if (proxy-command? value)
+    (serialize-string 'proxy-command (proxy-command->string value))
+    (serialize-string-list 'proxy-jump (map proxy-jump->string value))))
+
+(define-maybe proxy-command-or-jump-list)
+
+(define (sanitize-proxy-command properties)
+  (lambda (value)
+  (when (maybe-value-set? value)
+    (warn-about-deprecation 'proxy-command properties #:replacement 'proxy))
+  (unless (maybe-string? value)
+    (configuration-field-error (source-properties->location properties) 'proxy-command value))
+  value))
+
 (define-configuration openssh-host
   (name
    (string)
@@ -155,7 +212,13 @@ (define-configuration openssh-host
    maybe-string
    "The command to use to connect to the server.  As an example, a command
 to connect via an HTTP proxy at 192.0.2.0 would be: @code{\"nc -X
-connect -x 192.0.2.0:8080 %h %p\"}.")
+connect -x 192.0.2.0:8080 %h %p\"}.  Using 'proxy-command' is deprecated, use
+'proxy' instead."
+   (sanitizer (sanitize-proxy-command (current-source-location))))
+  (proxy
+   maybe-proxy-command-or-jump-list
+   "The command to use to connect to the server or a list of SSH hosts to jump
+through before connecting to the server.")
   (host-key-algorithms
    maybe-string-list
    "The list of accepted host key algorithms---e.g.,

base-commit: a9f4b6ecd00112ae4fb04dfbe0f9cc86b042dbc5
-- 
2.39.2

Saku Laesvuori wrote 2 years ago

[PATCH 2/2] doc: Update openssh-host documentation.

Recipients:(address . 62966@debbugs.gnu.org)(name . Saku Laesvuori)(address . saku@laesvuori.fi)

Message-ID:20230420113212.11941-1-saku@laesvuori.fi

* doc/guix.texi (Secure Shell): Update openssh-host documentation to
match the code.
---
 doc/guix.texi | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (20 lines)diff --git a/doc/guix.texi b/doc/guix.texi
index da25bba770..10e2acc434 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42589,10 +42589,10 @@ Name of this host declaration.
 @item @code{host-name} (type: maybe-string)
 Host name---e.g., @code{"foo.example.org"} or @code{"192.168.1.2"}.
 
-@item @code{address-family} (type: address-family)
+@item @code{address-family} (type: maybe-address-family)
 Address family to use when connecting to this host: one of
-@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or
-@code{*unspecified*} (allowing any address family).
+@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only).
+Additionally, the field can be left unset to allow any address family.
 
 @item @code{identity-file} (type: maybe-string)
 The identity file to use---e.g., @code{"/home/charlie/.ssh/id_ed25519"}.
-- 
2.39.2

Ludovic Courtès wrote 2 years ago

Re: bug#62966: [PATCH 1/2] home: services: openssh: Add configuration option for jump proxies

Recipients:(name . Saku Laesvuori)(address . saku@laesvuori.fi)(address . 62966-done@debbugs.gnu.org)

Message-ID:87leilgtbq.fsf@gnu.org

Hi Saku,

Saku Laesvuori <saku@laesvuori.fi> skribis:

Toggle quote (14 lines)> Add a new 'proxy' field to openssh-host to allow ProxyCommand or
> ProxyJump, but not both, to be configured. Configuring both would cause
> the serialization order to determine which one is used. Deprecate the
> 'proxy-command' field because the 'proxy' field replaces it.
>
> * gnu/home/services/ssh.scm (proxy-jump->string,
> proxy-command-or-jump-list?, serialize-proxy-command-or-jump-list,
> sanitize-proxy-command): New procedure.
> (proxy-jump, proxy-command): New record type.
> (openssh-host)[proxy-command]: Mark field as deprecated because OpenSSH
> can't have ProxyCommand and ProxyJump configured at the same time.
> * doc/guix.texi (Secure Shell): Update to match the changes to the
> service.

Nice improvement.

Toggle quote (3 lines)

> * doc/guix.texi (Secure Shell): Update openssh-host documentation to

> match the code.

Applied, thanks!

Ludo’.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 62966@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 62966

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

You may also tag this issue. See list of standard tags. For example, to set the confirmed and easy tags

mumi command -t +confirmed -t +easy

Or, remove the moreinfo tag and set the help tag

mumi command -t -moreinfo -t +help

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date