colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

ssh: remove unused SSH_EXTRA_KNOWN_HOSTS env hook

Browse Source
This commit is contained in:
Colin
2025-07-02 07:37:08 +00:00
parent 558e9edc4b
commit 728e97b122
1 changed files with 26 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
hosts/common/programs/ssh.nix
View File

@@ -65,31 +65,31 @@ in
# the `bunpen` and `bwrap` user namespace sandboxes map root -> nobody, so openssh fails the check. # the `bunpen` and `bwrap` user namespace sandboxes map root -> nobody, so openssh fails the check.
# by avoiding the include, we hack around this limitation. # by avoiding the include, we hack around this limitation.
systemd-ssh-proxy.enable = false; systemd-ssh-proxy.enable = false;
extraConfig = let # extraConfig = let
SSH_EXTRA_KNOWN_HOSTS = pkgs.writeCBin "print-SSH_EXTRA_KNOWN_HOSTS" '' # SSH_EXTRA_KNOWN_HOSTS = pkgs.writeCBin "print-SSH_EXTRA_KNOWN_HOSTS" ''
#define _GNU_SOURCE # #define _GNU_SOURCE
#include <stdio.h> # #include <stdio.h>
#include <unistd.h> # #include <unistd.h>
int main (int argc, char **argv) { # int main (int argc, char **argv) {
for (char **env = environ; *env; ++env) { # for (char **env = environ; *env; ++env) {
char *ep = *env; # char *ep = *env;
char *ap = "SSH_EXTRA_KNOWN_HOSTS"; # char *ap = "SSH_EXTRA_KNOWN_HOSTS";
while (*ep != '\0' && *ap != '\0' && *ep++ == *ap++) { # while (*ep != '\0' && *ap != '\0' && *ep++ == *ap++) {
if (*ep == '=' && *ap == '\0') { # if (*ep == '=' && *ap == '\0') {
printf ("%s\n", ep + 1); # printf ("%s\n", ep + 1);
} # }
} # }
} # }
return 0; # return 0;
} # }
''; # '';
in '' # in ''
# allow injecting ephemeral known_hosts by setting/appending this env var # # allow injecting ephemeral known_hosts by setting/appending this env var
# e.g. `SSH_EXTRA_KNOWN_HOSTS="$(ssh-keyscan FOO)" ssh FOO` # # e.g. `SSH_EXTRA_KNOWN_HOSTS="$(ssh-keyscan FOO)" ssh FOO`
# XXX: this is done in system-wide ssh config because otherwise user-namespaced ssh complains about # # XXX: this is done in system-wide ssh config because otherwise user-namespaced ssh complains about
# ~/.ssh/config being owned by the wrong user. # # ~/.ssh/config being owned by the wrong user.
# it's a custom binary instead of `printenv SSH_EXTRA_KNOWN_HOSTS` so as to make the env var optional. # # it's a custom binary instead of `printenv SSH_EXTRA_KNOWN_HOSTS` so as to make the env var optional.
KnownHostsCommand ${lib.getExe SSH_EXTRA_KNOWN_HOSTS} # KnownHostsCommand ${lib.getExe SSH_EXTRA_KNOWN_HOSTS}
''; # '';
}; };
} }