Next: Desktop Home Services, Previous: Managing User Daemons, Up: Home Services [Contents][Index]
The OpenSSH package includes a client, the
ssh
command, that allows you to connect to remote machines using
the SSH (secure shell) protocol. With the (gnu home services
ssh)
module, you can set up OpenSSH so that it works in a predictable
fashion, almost independently of state on the local machine. To do that,
you instantiate home-openssh-service-type
in your Home configuration,
as explained below.
This is the type of the service to set up the OpenSSH client. It takes care of several things:
ssh
knows about hosts you regularly connect to and their
associated parameters;
sshd
, may accept to connect to this user
account;
Here is an example of a service and its configuration that you could add to
the services
field of your home-environment
:
(service home-openssh-service-type
(home-openssh-configuration
(hosts
(list (openssh-host (name "ci.guix.gnu.org")
(user "charlie"))
(openssh-host (name "chbouib")
(host-name "chbouib.example.org")
(user "supercharlie")
(port 10022))))
(authorized-keys (list (local-file "alice.pub")))))
The example above lists two hosts and their parameters. For instance,
running ssh chbouib
will automatically connect to
chbouib.example.org
on port 10022, logging in as user
‘supercharlie’. Further, it marks the public key in alice.pub
as authorized for incoming connections.
The value associated with a home-openssh-service-type
instance must
be a home-openssh-configuration
record, as describe below.
This is the datatype representing the OpenSSH client and server configuration in one’s home environment. It contains the following fields:
hosts
(default: '()
)A list of openssh-host
records specifying host names and associated
connection parameters (see below). This host list goes into
~/.ssh/config, which ssh
reads at startup.
known-hosts
(default: *unspecified*
)This must be either:
*unspecified*
, in which case home-openssh-service-type
leaves
it up to ssh
and to the user to maintain the list of known hosts
at ~/.ssh/known_hosts, or
The ~/.ssh/known_hosts contains a list of host name/host key pairs
that allow ssh
to authenticate hosts you connect to and to detect
possible impersonation attacks. By default, ssh
updates it in a
TOFU, trust-on-first-use fashion, meaning that it records the host’s
key in that file the first time you connect to it. This behavior is
preserved when known-hosts
is set to *unspecified*
.
If you instead provide a list of host keys upfront in the known-hosts
field, your configuration becomes self-contained and stateless: it can be
replicated elsewhere or at another point in time. Preparing this list can
be relatively tedious though, which is why *unspecified*
is kept as a
default.
authorized-keys
(default: '()
)This must be a list of file-like objects, each of which containing an SSH public key that should be authorized to connect to this machine.
Concretely, these files are concatenated and made available as
~/.ssh/authorized_keys. If an OpenSSH server, sshd
, is
running on this machine, then it may take this file into account:
this is what sshd
does by default, but be aware that it can also
be configured to ignore it.
Available openssh-host
fields are:
name
(type: string)Name of this host declaration.
host-name
(type: maybe-string)Host name—e.g., "foo.example.org"
or "192.168.1.2"
.
address-family
(type: address-family)Address family to use when connecting to this host: one of AF_INET
(for IPv4 only), AF_INET6
(for IPv6 only), or *unspecified*
(allowing any address family).
identity-file
(type: maybe-string)The identity file to use—e.g., "/home/charlie/.ssh/id_ed25519"
.
port
(type: maybe-natural-number)TCP port number to connect to.
user
(type: maybe-string)User name on the remote host.
forward-x11?
(default: #f
) (type: boolean)Whether to forward remote client connections to the local X11 graphical display.
forward-x11-trusted?
(default: #f
) (type: boolean)Whether remote X11 clients have full access to the original X11 graphical display.
forward-agent?
(default: #f
) (type: boolean)Whether the authentication agent (if any) is forwarded to the remote machine.
compression?
(default: #f
) (type: boolean)Whether to compress data in transit.
proxy-command
(type: maybe-string)The command to use to connect to the server. As an example, a command to
connect via an HTTP proxy at 192.0.2.0 would be: "nc -X connect -x
192.0.2.0:8080 %h %p"
.
host-key-algorithms
(type: maybe-string-list)The list of accepted host key algorithms—e.g., '("ssh-ed25519")
.
accepted-key-types
(type: maybe-string-list)The list of accepted user public key types.
extra-content
(default: ""
) (type: raw-configuration-string)Extra content appended as-is to this Host
block in
~/.ssh/config.
Next: Desktop Home Services, Previous: Managing User Daemons, Up: Home Services [Contents][Index]