| 6 Mar 2025 |
 gdamjan | for the client side (ssh client, but actually VM host), you need the systemd-ssh-proxy executable and some ssh config magic (shipped with systemd) | 19:43:14 |
 ElvishJerricco | i'm so confused | 19:43:53 |
| gdamjan | ah, and also the generator needs to find that sshd is "installed" | 19:44:29 |
| gdamjan | not sure, but didn't the kernel automatically load socket modules ? | 19:44:44 |
| ElvishJerricco | ok so we have a .socket unit, which depends on a vsock, and we're hoping the kernel auto-loads the module? | 19:45:48 |
| ElvishJerricco | (really, the .socket unit should just depend on modprobe@whatever-the-vsock-module-is-called.service) | 19:46:32 |
| gdamjan | considering I haven't configured any vsock module to be loaded explicitly, and yet they are :) | 19:46:43 |
| ElvishJerricco | $ git grep vsock | wc -l
220
jfc
| 19:47:42 |
| ElvishJerricco | * $ cd systemd
$ git grep vsock | wc -l
220
jfc
| 19:47:56 |
| gdamjan | the generator does seem to check that the system is a guest | 19:48:46 |
| ElvishJerricco | ok so we've got some kind of option here | 19:49:10 |
| ElvishJerricco | do we need the ssh generator? | 19:49:32 |
| ElvishJerricco | * gdamjan: do we need the ssh generator? | 19:49:39 |
| gdamjan | in theory you can just add a static unit for vsock, right? | 19:49:58 |
| ElvishJerricco | I don't understand | 19:50:11 |
| ElvishJerricco | I thought we just don't need anything? | 19:50:31 |
| gdamjan | how do you mean? :D | 19:50:56 |
| gdamjan | sshd will not natively listen on vsock, so you need "something" | 19:51:09 |
| gdamjan | # /run/systemd/generator/sshd-vsock.socket
# Automatically generated by systemd-ssh-generator
[Unit]
Description=OpenSSH Server Socket (systemd-ssh-generator, AF_VSOCK)
Documentation=man:systemd-ssh-generator(8)
Wants=ssh-access.target
Before=ssh-access.target
[Socket]
ListenStream=vsock::22
Accept=yes
PollLimitIntervalSec=30s
PollLimitBurst=50
| 19:51:17 |
| gdamjan | this is the generated .socket unit ^ | 19:51:26 |
 raitobezarius | In reply to @arianvp:matrix.org
Not 100% sure. Raito will know there's a generator thingie | 19:51:56 |
| gdamjan | and the service
# /run/systemd/generator/sshd-generated@.service
# Automatically generated by systemd-ssh-generator
[Unit]
Description=OpenSSH Per-Connection Server Daemon
Documentation=man:systemd-ssh-generator(8) man:sshd(8)
[Service]
ExecStart=-/usr/bin/sshd -i -o "AuthorizedKeysFile ${CREDENTIALS_DIRECTORY}/ssh.ephemeral-authorized_keys-all .ssh>
StandardInput=socket
ImportCredential=ssh.ephemeral-authorized_keys-all
| 19:52:04 |
| raitobezarius | i can pull you my patch again if you need it | 19:52:06 |
 Arian | I mean is vsock available without a kernel module | 19:52:18 |
| raitobezarius | yes | 19:52:21 |
| raitobezarius | vsock is always available in the kernel | 19:52:24 |
| raitobezarius | it's a native AF_ | 19:52:28 |
| Arian | Yeh I think many cases what generators do conflicts with what nixos module system does | 19:52:30 |
| Arian | And sometimes makes sense to just generate units at NixOS level instead | 19:52:44 |
| raitobezarius | From 8d29f82f74491c0e929d7518747d91651fc6e821 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <masterancpp@gmail.com>
Date: Sun, 1 Dec 2024 21:23:06 +0100
Subject: [PATCH] nixos/programs/ssh: support connection to a AF_VSOCK/AF_UNIX
upon demand
Since systemd 256, it's possible to connect to VMs and containers
without using any classical IP networking.
Rather, we can leverage modern AF_VSOCK (for virtual machine
communications) or classical AF_UNIX (for containers).
See
https://www.freedesktop.org/software/systemd/man/256/systemd-ssh-proxy.html
for more documentation.
Change-Id: I2e06a6ebb6d0f34c9cfd69d6dc2aef983b47ed6f
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
---
nixos/modules/programs/ssh.nix | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix
index f2ef248d7866..55c2f4d248a0 100644
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@@ -26,6 +26,22 @@ let
knownHostsFiles = [ "/etc/ssh/ssh_known_hosts" ]
++ builtins.map pkgs.copyPathToStore cfg.knownHostsFiles;
+ # Taken from https://www.freedesktop.org/software/systemd/man/256/systemd-ssh-proxy.html
+ sshSystemdProxyConfig = ''
+ # AF_VSOCK / AF_UNIX support for SSH
+ # Built for VMs / containers access without going via the classical networking stack.
+ Host unix/* vsock/*
+ ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy %h %p
+ ProxyUseFdpass yes
+ CheckHostIP no
+
+ # Local host SSH without classical networking
+ Host .host
+ ProxyCommand ${config.systemd.package}/lib/systemd/systemd-ssh-proxy unix/run/ssh-unix-local/socket %p
+ ProxyUseFdpass yes
+ CheckHostIP no
+ '';
+
in
{
###### interface
@@ -33,6 +49,18 @@ in
options = {
programs.ssh = {
+ enableSystemdSshProxySupport = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to configure `ssh` so that it's possible to perform:
+ - `ssh vsock/<cid>`
+ - `ssh unix/a/path/to/some/container/unix/socket`
+ - `ssh some_name.host` to connect to the local host without involving networking
+
+ See https://www.freedesktop.org/software/systemd/man/256/systemd-ssh-proxy.html for details.
+ '';
+ };
enableAskPassword = lib.mkOption {
type = lib.types.bool;
@@ -295,6 +323,7 @@ in
Host *
GlobalKnownHostsFile ${builtins.concatStringsSep " " knownHostsFiles}
+ ${lib.optionalString (cfg.enableSystemdSshProxySupport) sshSystemdProxyConfig}
${lib.optionalString (!config.networking.enableIPv6) "AddressFamily inet"}
${lib.optionalString cfg.setXAuthLocation "XAuthLocation ${pkgs.xorg.xauth}/bin/xauth"}
${lib.optionalString (cfg.forwardX11 != null) "ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}"}
--
2.47.0
this is almost all what you need IIRC | 19:53:09 |
