From patchwork Thu Apr 20 11:30:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Saku Laesvuori X-Patchwork-Id: 49318 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BB5EC27BBE9; Thu, 20 Apr 2023 12:31:15 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9043B17521 for ; Thu, 20 Apr 2023 12:31:14 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ppSVH-0004RS-Ta; Thu, 20 Apr 2023 07:31:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSVG-0004QR-63 for guix-patches@gnu.org; Thu, 20 Apr 2023 07:31:06 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ppSVC-0006vb-H3 for guix-patches@gnu.org; Thu, 20 Apr 2023 07:31:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ppSVB-0001aK-S8 for guix-patches@gnu.org; Thu, 20 Apr 2023 07:31:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62966] [PATCH 1/2] home: services: openssh: Add configuration option for jump proxies Resent-From: Saku Laesvuori Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Apr 2023 11:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62966 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62966@debbugs.gnu.org Cc: Saku Laesvuori X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16819902596082 (code B ref -1); Thu, 20 Apr 2023 11:31:01 +0000 Received: (at submit) by debbugs.gnu.org; 20 Apr 2023 11:30:59 +0000 Received: from localhost ([127.0.0.1]:36727 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppSV8-0001a1-CN for submit@debbugs.gnu.org; Thu, 20 Apr 2023 07:30:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:39846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppSV6-0001Zs-B5 for submit@debbugs.gnu.org; Thu, 20 Apr 2023 07:30:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSV2-0004IY-9E for guix-patches@gnu.org; Thu, 20 Apr 2023 07:30:56 -0400 Received: from vmi571514.contaboserver.net ([75.119.130.101] helo=mail.laesvuori.fi) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSUz-0006oZ-HF for guix-patches@gnu.org; Thu, 20 Apr 2023 07:30:51 -0400 Received: from X-kone.lan (88-113-24-127.elisa-laajakaista.fi [88.113.24.127]) by mail.laesvuori.fi (Postfix) with ESMTPSA id AF707340163; Thu, 20 Apr 2023 13:31:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail; t=1681990283; bh=Z62uhFsSSY52Z3CQ7dhOImcXR/plIbYj7XOVCPJGQtE=; h=From:To:Cc:Subject:Date; b=fyvA2Qs+hgFFhJ0id8o1qANYRguJ9ydHTlSNhG5xdVibMUf4oe0xAQ5mCP0tW80Fp sb6aPFEz7r0A+XAOtbFBuJz+o2+N9GQoZO8TMcmqVYfuDYWyy6mLGueZ1/GtmXPaTt rg/NmJqYILRfjifhWmqMdyUzCCYDkymRZTRdxhvs= Date: Thu, 20 Apr 2023 14:30:24 +0300 Message-Id: <20230420113024.7999-1-saku@laesvuori.fi> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Received-SPF: pass client-ip=75.119.130.101; envelope-from=saku@laesvuori.fi; helo=mail.laesvuori.fi X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Saku Laesvuori X-ACL-Warn: , Saku Laesvuori via Guix-patches X-Patchwork-Original-From: Saku Laesvuori via Guix-patches via From: Saku Laesvuori Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Add a new 'proxy' field to openssh-host to allow ProxyCommand or ProxyJump, but not both, to be configured. Configuring both would cause the serialization order to determine which one is used. Deprecate the 'proxy-command' field because the 'proxy' field replaces it. * gnu/home/services/ssh.scm (proxy-jump->string, proxy-command-or-jump-list?, serialize-proxy-command-or-jump-list, sanitize-proxy-command): New procedure. (proxy-jump, proxy-command): New record type. (openssh-host)[proxy-command]: Mark field as deprecated because OpenSSH can't have ProxyCommand and ProxyJump configured at the same time. * doc/guix.texi (Secure Shell): Update to match the changes to the service. --- doc/guix.texi | 29 ++++++++++++++--- gnu/home/services/ssh.scm | 65 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 89 insertions(+), 5 deletions(-) base-commit: a9f4b6ecd00112ae4fb04dfbe0f9cc86b042dbc5 diff --git a/doc/guix.texi b/doc/guix.texi index adb1975935..da25bba770 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42618,10 +42618,31 @@ machine. @item @code{compression?} (default: @code{#f}) (type: boolean) Whether to compress data in transit. -@item @code{proxy-command} (type: maybe-string) -The command to use to connect to the server. As an example, a command -to connect via an HTTP proxy at 192.0.2.0 would be: @code{"nc -X connect --x 192.0.2.0:8080 %h %p"}. +@item @code{proxy} (type: maybe-proxy-command-or-jump-list) +The command to use to connect to the server or a list of SSH hosts to +jump through before connecting to the server. The field may be set to either a +@code{proxy-command} or a list of @code{proxy-jump} records. + +As an example, a @code{proxy-command} to connect via an HTTP proxy at 192.0.2.0 +would be constructed with: @code{(proxy-command "nc -X connect -x +192.0.2.0:8080 %h %p")}. + +@deftp {Data Type} proxy-jump +Available @code{proxy-jump} fields are: + +@table @asis +@item @code{user} (type: maybe-string) +User name on the remote host. + +@item @code{host-name} (type: string) +Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}. + +@item @code{port} (type: maybe-natural-number) +TCP port number to connect to. + +@end table + +@end deftp @item @code{host-key-algorithms} (type: maybe-string-list) The list of accepted host key algorithms---e.g., diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm index 01917a29cd..6aeb6ad5a7 100644 --- a/gnu/home/services/ssh.scm +++ b/gnu/home/services/ssh.scm @@ -20,6 +20,7 @@ (define-module (gnu home services ssh) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix deprecation) #:use-module (guix diagnostics) #:use-module (guix i18n) #:use-module (gnu services) @@ -32,6 +33,8 @@ (define-module (gnu home services ssh) #:autoload (gnu packages base) (glibc-utf8-locales) #:use-module (gnu packages ssh) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-9) + #:use-module (srfi srfi-9 gnu) #:use-module (srfi srfi-34) #:use-module (srfi srfi-35) #:use-module (ice-9 match) @@ -55,6 +58,12 @@ (define-module (gnu home services ssh) openssh-host-host-key-algorithms openssh-host-accepted-key-types openssh-host-extra-content + proxy-jump + proxy-jump-host-name + proxy-jump-port + proxy-jump-user + proxy-command + proxy-command->string home-openssh-service-type home-ssh-agent-service-type)) @@ -114,6 +123,54 @@ (define (serialize-string-list field lst) (define-maybe string-list) +(define-record-type + (proxy-command command) + proxy-command? + (command proxy-command->string)) + +(set-record-type-printer! + (lambda (obj port) + (format port "#" (proxy-command->string obj)))) + +(define-configuration/no-serialization proxy-jump + (user + maybe-string + "User name on the remote host.") + (host-name + (string) + "Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}.") + (port + maybe-natural-number + "TCP port number to connect to.")) + +(define (proxy-jump->string proxy-jump) + (match-record proxy-jump + (host-name user port) + (string-append + (if (maybe-value-set? user) (string-append user "@") "") + host-name + (if (maybe-value-set? port) (string-append ":" (number->string port)) "")))) + +(define (proxy-command-or-jump-list? x) + (or (proxy-command? x) + (and (list? x) + (every proxy-jump? x)))) + +(define (serialize-proxy-command-or-jump-list field value) + (if (proxy-command? value) + (serialize-string 'proxy-command (proxy-command->string value)) + (serialize-string-list 'proxy-jump (map proxy-jump->string value)))) + +(define-maybe proxy-command-or-jump-list) + +(define (sanitize-proxy-command properties) + (lambda (value) + (when (maybe-value-set? value) + (warn-about-deprecation 'proxy-command properties #:replacement 'proxy)) + (unless (maybe-string? value) + (configuration-field-error (source-properties->location properties) 'proxy-command value)) + value)) + (define-configuration openssh-host (name (string) @@ -155,7 +212,13 @@ (define-configuration openssh-host maybe-string "The command to use to connect to the server. As an example, a command to connect via an HTTP proxy at 192.0.2.0 would be: @code{\"nc -X -connect -x 192.0.2.0:8080 %h %p\"}.") +connect -x 192.0.2.0:8080 %h %p\"}. Using 'proxy-command' is deprecated, use +'proxy' instead." + (sanitizer (sanitize-proxy-command (current-source-location)))) + (proxy + maybe-proxy-command-or-jump-list + "The command to use to connect to the server or a list of SSH hosts to jump +through before connecting to the server.") (host-key-algorithms maybe-string-list "The list of accepted host key algorithms---e.g., From patchwork Thu Apr 20 11:32:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Saku Laesvuori X-Patchwork-Id: 49319 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1224327BBE9; Thu, 20 Apr 2023 12:33:25 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3CED827BBE2 for ; Thu, 20 Apr 2023 12:33:24 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ppSXA-0004zH-O8; Thu, 20 Apr 2023 07:33:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSX8-0004wD-2F for guix-patches@gnu.org; Thu, 20 Apr 2023 07:33:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ppSX7-0007vM-Pk for guix-patches@gnu.org; Thu, 20 Apr 2023 07:33:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ppSX7-0001dT-Kb for guix-patches@gnu.org; Thu, 20 Apr 2023 07:33:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62966] [PATCH 2/2] doc: Update openssh-host documentation. References: <20230420113024.7999-1-saku@laesvuori.fi> In-Reply-To: <20230420113024.7999-1-saku@laesvuori.fi> Resent-From: Saku Laesvuori Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Apr 2023 11:33:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 62966 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62966@debbugs.gnu.org Cc: Saku Laesvuori Received: via spool by 62966-submit@debbugs.gnu.org id=B62966.16819903486247 (code B ref 62966); Thu, 20 Apr 2023 11:33:01 +0000 Received: (at 62966) by debbugs.gnu.org; 20 Apr 2023 11:32:28 +0000 Received: from localhost ([127.0.0.1]:36732 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppSWa-0001ch-1Y for submit@debbugs.gnu.org; Thu, 20 Apr 2023 07:32:28 -0400 Received: from vmi571514.contaboserver.net ([75.119.130.101]:51630 helo=mail.laesvuori.fi) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppSWY-0001cZ-HC for 62966@debbugs.gnu.org; Thu, 20 Apr 2023 07:32:26 -0400 Received: from X-kone.lan (88-113-24-127.elisa-laajakaista.fi [88.113.24.127]) by mail.laesvuori.fi (Postfix) with ESMTPSA id 7D31B340163; Thu, 20 Apr 2023 13:33:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail; t=1681990382; bh=Htbb3KAXuBgNwjZiAgs0CrhjRWS5jTkJYk6vKzE2HrM=; h=From:To:Cc:Subject:Date; b=ZpGUpADx9VM1rhfCZREVgkJ41t9or1Z3FbKpO80ZjVHVC73KdYRydwUD6pX2qYpFc ExRSsWGh2mDW89tqnyZExUyAhAWS4BBSjlVvPorCSRq63Y1ZmfcKu49+sR6gQbFuSI 4Ssm54+LT/7+xKcfTNeugVRMyfWItrh3SfAlwxl0= Date: Thu, 20 Apr 2023 14:32:12 +0300 Message-Id: <20230420113212.11941-1-saku@laesvuori.fi> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Saku Laesvuori X-ACL-Warn: , Saku Laesvuori via Guix-patches X-Patchwork-Original-From: Saku Laesvuori via Guix-patches via From: Saku Laesvuori Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * doc/guix.texi (Secure Shell): Update openssh-host documentation to match the code. --- doc/guix.texi | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index da25bba770..10e2acc434 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42589,10 +42589,10 @@ Name of this host declaration. @item @code{host-name} (type: maybe-string) Host name---e.g., @code{"foo.example.org"} or @code{"192.168.1.2"}. -@item @code{address-family} (type: address-family) +@item @code{address-family} (type: maybe-address-family) Address family to use when connecting to this host: one of -@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or -@code{*unspecified*} (allowing any address family). +@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only). +Additionally, the field can be left unset to allow any address family. @item @code{identity-file} (type: maybe-string) The identity file to use---e.g., @code{"/home/charlie/.ssh/id_ed25519"}.