chn/home-manager
1
0
Fork 0
mirror of https://github.com/nix-community/home-manager.git synced 2026-01-11 09:29:41 +08:00
Code Issues Packages Projects Releases Wiki Activity

ssh-agent: add allowedPKCS11Providers option

Browse Source
This commit is contained in:
Xinyang Li
2026-01-07 21:04:34 +02:00
committed by Austin Horstman
parent 3351348827
commit 47db0fde35
7 changed files with 92 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
modules/services/ssh-agent.nix
View File

@@ -37,6 +37,17 @@ in
''; '';
}; };
pkcs11Whitelist = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = lib.literalExpression ''[ "''${pkgs.tpm2-pkcs11}/lib/*" ]'';
description = ''
Specify a list of approved path patterns for PKCS#11 and FIDO authenticator middleware libraries. When using the -s or -S options with {manpage}`ssh-add(1)`, only libraries matching these patterns will be accepted.
See {manpage}`ssh-agent(1)`.
'';
};
enableBashIntegration = lib.hm.shell.mkBashIntegrationOption { inherit config; }; enableBashIntegration = lib.hm.shell.mkBashIntegrationOption { inherit config; };
enableZshIntegration = lib.hm.shell.mkZshIntegrationOption { inherit config; }; enableZshIntegration = lib.hm.shell.mkZshIntegrationOption { inherit config; };
@@ -101,6 +112,10 @@ in
lib.optionalString ( lib.optionalString (
cfg.defaultMaximumIdentityLifetime != null cfg.defaultMaximumIdentityLifetime != null
) " -t ${toString cfg.defaultMaximumIdentityLifetime}" ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
}${
lib.optionalString (
cfg.pkcs11Whitelist != [ ]
) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
}"; }";
}; };
@@ -114,6 +129,10 @@ in
lib.optionalString ( lib.optionalString (
cfg.defaultMaximumIdentityLifetime != null cfg.defaultMaximumIdentityLifetime != null
) " -t ${toString cfg.defaultMaximumIdentityLifetime}" ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
}${
lib.optionalString (
cfg.pkcs11Whitelist != [ ]
) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
}'' }''
]; ];
KeepAlive = { KeepAlive = {
@@ -124,7 +143,5 @@ in
RunAtLoad = true; RunAtLoad = true;
}; };
}; };
}; };
} }

1
tests/modules/services/ssh-agent/darwin/default.nix
View File

@@ -1,6 +1,7 @@
{ {
ssh-agent-darwin-basic-service = ./basic-service.nix; ssh-agent-darwin-basic-service = ./basic-service.nix;
ssh-agent-darwin-timeout-service = ./timeout-service.nix; ssh-agent-darwin-timeout-service = ./timeout-service.nix;
ssh-agent-darwin-pkcs11-service = ./pkcs11-service.nix;
ssh-agent-darwin-bash-integration = ./bash-integration.nix; ssh-agent-darwin-bash-integration = ./bash-integration.nix;
ssh-agent-darwin-nushell-integration = ./nushell-integration.nix; ssh-agent-darwin-nushell-integration = ./nushell-integration.nix;
} }

25
tests/modules/services/ssh-agent/darwin/pkcs11-service-expected.plist Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<dict>
<key>Crashed</key>
<true/>
<key>SuccessfulExit</key>
<false/>
</dict>
<key>Label</key>
<string>org.nix-community.home.ssh-agent</string>
<key>ProcessType</key>
<string>Background</string>
<key>ProgramArguments</key>
<array>
<string>@bash-interactive@/bin/bash</string>
<string>-c</string>
<string>@openssh@/bin/ssh-agent -D -a &quot;$(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent&quot; -P &apos;/usr/lib/libpkcs11.so,/usr/lib/other.so&apos;</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

21
tests/modules/services/ssh-agent/darwin/pkcs11-service.nix Normal file
View File

@@ -0,0 +1,21 @@
{
config,
...
}:
{
services.ssh-agent = {
enable = true;
pkcs11Whitelist = [
"/usr/lib/libpkcs11.so"
"/usr/lib/other.so"
];
package = config.lib.test.mkStubPackage { outPath = "@openssh@"; };
};
nmt.script = ''
assertFileContent \
LaunchAgents/org.nix-community.home.ssh-agent.plist \
${./pkcs11-service-expected.plist}
'';
}

1
tests/modules/services/ssh-agent/linux/default.nix
View File

@@ -1,4 +1,5 @@
{ {
ssh-agent-basic-service = ./basic-service.nix; ssh-agent-basic-service = ./basic-service.nix;
ssh-agent-timeout-service = ./timeout-service.nix; ssh-agent-timeout-service = ./timeout-service.nix;
ssh-agent-pkcs11-service = ./pkcs11-service.nix;
} }

9
tests/modules/services/ssh-agent/linux/pkcs11-service-expected.service Normal file
View File

@@ -0,0 +1,9 @@
[Install]
WantedBy=default.target
[Service]
ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent -P '/nix/store/*/lib,/usr/lib/libpkcs11.so,/usr/lib/other.so'
[Unit]
Description=SSH authentication agent
Documentation=man:ssh-agent(1)

16
tests/modules/services/ssh-agent/linux/pkcs11-service.nix Normal file
View File

@@ -0,0 +1,16 @@
{
services.ssh-agent = {
enable = true;
pkcs11Whitelist = [
"/nix/store/*/lib"
"/usr/lib/libpkcs11.so"
"/usr/lib/other.so"
];
};
nmt.script = ''
assertFileContent \
home-files/.config/systemd/user/ssh-agent.service \
${./pkcs11-service-expected.service}
'';
}