From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms9.migadu.com with LMTPS id sDJ8I4QiQWQPNgAASxT56A (envelope-from ) for ; Thu, 20 Apr 2023 13:31:16 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id SGGEIoQiQWSLpAAAG6o9tA (envelope-from ) for ; Thu, 20 Apr 2023 13:31:16 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0FB721E2AF for ; Thu, 20 Apr 2023 13:31:16 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ppSVH-0004RS-Ta; Thu, 20 Apr 2023 07:31:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSVG-0004QR-63 for guix-patches@gnu.org; Thu, 20 Apr 2023 07:31:06 -0400 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ppSVC-0006vb-H3 for guix-patches@gnu.org; Thu, 20 Apr 2023 07:31:05 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ppSVB-0001aK-S8 for guix-patches@gnu.org; Thu, 20 Apr 2023 07:31:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#62966] [PATCH 1/2] home: services: openssh: Add configuration option for jump proxies Resent-From: Saku Laesvuori Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Apr 2023 11:31:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 62966 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 62966@debbugs.gnu.org Cc: Saku Laesvuori X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16819902596082 (code B ref -1); Thu, 20 Apr 2023 11:31:01 +0000 Received: (at submit) by debbugs.gnu.org; 20 Apr 2023 11:30:59 +0000 Received: from localhost ([127.0.0.1]:36727 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppSV8-0001a1-CN for submit@debbugs.gnu.org; Thu, 20 Apr 2023 07:30:58 -0400 Received: from lists.gnu.org ([209.51.188.17]:39846) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ppSV6-0001Zs-B5 for submit@debbugs.gnu.org; Thu, 20 Apr 2023 07:30:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSV2-0004IY-9E for guix-patches@gnu.org; Thu, 20 Apr 2023 07:30:56 -0400 Received: from vmi571514.contaboserver.net ([75.119.130.101] helo=mail.laesvuori.fi) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ppSUz-0006oZ-HF for guix-patches@gnu.org; Thu, 20 Apr 2023 07:30:51 -0400 Received: from X-kone.lan (88-113-24-127.elisa-laajakaista.fi [88.113.24.127]) by mail.laesvuori.fi (Postfix) with ESMTPSA id AF707340163; Thu, 20 Apr 2023 13:31:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=laesvuori.fi; s=mail; t=1681990283; bh=Z62uhFsSSY52Z3CQ7dhOImcXR/plIbYj7XOVCPJGQtE=; h=From:To:Cc:Subject:Date; b=fyvA2Qs+hgFFhJ0id8o1qANYRguJ9ydHTlSNhG5xdVibMUf4oe0xAQ5mCP0tW80Fp sb6aPFEz7r0A+XAOtbFBuJz+o2+N9GQoZO8TMcmqVYfuDYWyy6mLGueZ1/GtmXPaTt rg/NmJqYILRfjifhWmqMdyUzCCYDkymRZTRdxhvs= Date: Thu, 20 Apr 2023 14:30:24 +0300 Message-Id: <20230420113024.7999-1-saku@laesvuori.fi> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=75.119.130.101; envelope-from=saku@laesvuori.fi; helo=mail.laesvuori.fi X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Saku Laesvuori X-ACL-Warn: , Saku Laesvuori via Guix-patches From: Saku Laesvuori via Guix-patches via Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN ARC-Seal: i=1; s=key1; d=yhetil.org; t=1681990276; a=rsa-sha256; cv=none; b=ti9z20K30Y/h+Dw5wAlxCFkXgWneSUiJlBorpCO9XNcctqGiIZfuxeaZZZlOJtBM/NoEpz noHHj4HSpRWGq+2KH+9K26IcuLwMNc5nfzzAJmC53XnZVnFW6id16v69AYstQ4w0LNtNxF 1Tcn9qj5rNfgFFxLLV8Zbk86uo+F7Ty8vhgG639dSjgXRqr/rsbQ3Yzr3zXbtMbR1//Fgy 8jTUspKDOFABGV/MaMl+Wdpr7U8CanoXatd1yqAzhgQgOBYS5riGGOuAnrYQ5NYsX2YV7x FSVZB3dzU7YHVEZ3RZMAnGtnw3nTf2nNwWOVCh60RAraxw6pmLodGGNB9Mxa6w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=laesvuori.fi header.s=mail header.b=fyvA2Qs+; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1681990276; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=1CvWHJVo6F+VxqyTCpmFaMqBaWVrGKVKHpiGA75RoN8=; b=pZNyKEIYl1lLBzyRGRhbGJjXgWCC9lGZlipvyYqOs84qCHKZGPn/qxV0/P10PiFtkm2ro8 IPk/CYz+k8MDfMd+slTLVrYQ3H+QtAOi+Yku0uWQGw7viTv1MVZ+lrNDuwgxQl9yeQDmay VSGHa562/Hdce8uFwmJVFQkssi8CB9IcDzpkjrnNTBycX1Rr70MFJZ5wMEmTgThl3pJcd0 uExO5d9qQxNtosOBBkzh3N3QaZiPNNtLmEnE+3/Bu/5c0bcbfJcyh/Yg6tmOseN7l+nvt+ PhWCeMuKrKS9Mpam4UbhNC7VjIUXmUUGHg4v4Yagt/Wp+bnBfr+3XBS/rM/q7g== X-Migadu-Scanner: scn1.migadu.com X-Migadu-Spam-Score: -1.91 X-Spam-Score: -1.91 X-Migadu-Queue-Id: 0FB721E2AF Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=laesvuori.fi header.s=mail header.b=fyvA2Qs+; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-TUID: OWlChiBvPDEg Add a new 'proxy' field to openssh-host to allow ProxyCommand or ProxyJump, but not both, to be configured. Configuring both would cause the serialization order to determine which one is used. Deprecate the 'proxy-command' field because the 'proxy' field replaces it. * gnu/home/services/ssh.scm (proxy-jump->string, proxy-command-or-jump-list?, serialize-proxy-command-or-jump-list, sanitize-proxy-command): New procedure. (proxy-jump, proxy-command): New record type. (openssh-host)[proxy-command]: Mark field as deprecated because OpenSSH can't have ProxyCommand and ProxyJump configured at the same time. * doc/guix.texi (Secure Shell): Update to match the changes to the service. --- doc/guix.texi | 29 ++++++++++++++--- gnu/home/services/ssh.scm | 65 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 89 insertions(+), 5 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index adb1975935..da25bba770 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -42618,10 +42618,31 @@ machine. @item @code{compression?} (default: @code{#f}) (type: boolean) Whether to compress data in transit. -@item @code{proxy-command} (type: maybe-string) -The command to use to connect to the server. As an example, a command -to connect via an HTTP proxy at 192.0.2.0 would be: @code{"nc -X connect --x 192.0.2.0:8080 %h %p"}. +@item @code{proxy} (type: maybe-proxy-command-or-jump-list) +The command to use to connect to the server or a list of SSH hosts to +jump through before connecting to the server. The field may be set to either a +@code{proxy-command} or a list of @code{proxy-jump} records. + +As an example, a @code{proxy-command} to connect via an HTTP proxy at 192.0.2.0 +would be constructed with: @code{(proxy-command "nc -X connect -x +192.0.2.0:8080 %h %p")}. + +@deftp {Data Type} proxy-jump +Available @code{proxy-jump} fields are: + +@table @asis +@item @code{user} (type: maybe-string) +User name on the remote host. + +@item @code{host-name} (type: string) +Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}. + +@item @code{port} (type: maybe-natural-number) +TCP port number to connect to. + +@end table + +@end deftp @item @code{host-key-algorithms} (type: maybe-string-list) The list of accepted host key algorithms---e.g., diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm index 01917a29cd..6aeb6ad5a7 100644 --- a/gnu/home/services/ssh.scm +++ b/gnu/home/services/ssh.scm @@ -20,6 +20,7 @@ (define-module (gnu home services ssh) #:use-module (guix gexp) #:use-module (guix records) + #:use-module (guix deprecation) #:use-module (guix diagnostics) #:use-module (guix i18n) #:use-module (gnu services) @@ -32,6 +33,8 @@ (define-module (gnu home services ssh) #:autoload (gnu packages base) (glibc-utf8-locales) #:use-module (gnu packages ssh) #:use-module (srfi srfi-1) + #:use-module (srfi srfi-9) + #:use-module (srfi srfi-9 gnu) #:use-module (srfi srfi-34) #:use-module (srfi srfi-35) #:use-module (ice-9 match) @@ -55,6 +58,12 @@ (define-module (gnu home services ssh) openssh-host-host-key-algorithms openssh-host-accepted-key-types openssh-host-extra-content + proxy-jump + proxy-jump-host-name + proxy-jump-port + proxy-jump-user + proxy-command + proxy-command->string home-openssh-service-type home-ssh-agent-service-type)) @@ -114,6 +123,54 @@ (define (serialize-string-list field lst) (define-maybe string-list) +(define-record-type + (proxy-command command) + proxy-command? + (command proxy-command->string)) + +(set-record-type-printer! + (lambda (obj port) + (format port "#" (proxy-command->string obj)))) + +(define-configuration/no-serialization proxy-jump + (user + maybe-string + "User name on the remote host.") + (host-name + (string) + "Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}.") + (port + maybe-natural-number + "TCP port number to connect to.")) + +(define (proxy-jump->string proxy-jump) + (match-record proxy-jump + (host-name user port) + (string-append + (if (maybe-value-set? user) (string-append user "@") "") + host-name + (if (maybe-value-set? port) (string-append ":" (number->string port)) "")))) + +(define (proxy-command-or-jump-list? x) + (or (proxy-command? x) + (and (list? x) + (every proxy-jump? x)))) + +(define (serialize-proxy-command-or-jump-list field value) + (if (proxy-command? value) + (serialize-string 'proxy-command (proxy-command->string value)) + (serialize-string-list 'proxy-jump (map proxy-jump->string value)))) + +(define-maybe proxy-command-or-jump-list) + +(define (sanitize-proxy-command properties) + (lambda (value) + (when (maybe-value-set? value) + (warn-about-deprecation 'proxy-command properties #:replacement 'proxy)) + (unless (maybe-string? value) + (configuration-field-error (source-properties->location properties) 'proxy-command value)) + value)) + (define-configuration openssh-host (name (string) @@ -155,7 +212,13 @@ (define-configuration openssh-host maybe-string "The command to use to connect to the server. As an example, a command to connect via an HTTP proxy at 192.0.2.0 would be: @code{\"nc -X -connect -x 192.0.2.0:8080 %h %p\"}.") +connect -x 192.0.2.0:8080 %h %p\"}. Using 'proxy-command' is deprecated, use +'proxy' instead." + (sanitizer (sanitize-proxy-command (current-source-location)))) + (proxy + maybe-proxy-command-or-jump-list + "The command to use to connect to the server or a list of SSH hosts to jump +through before connecting to the server.") (host-key-algorithms maybe-string-list "The list of accepted host key algorithms---e.g., base-commit: a9f4b6ecd00112ae4fb04dfbe0f9cc86b042dbc5 -- 2.39.2