GNU bug report logs -
#62966
[PATCH 1/2] home: services: openssh: Add configuration option for jump proxies
Previous Next
Reported by: Saku Laesvuori <saku <at> laesvuori.fi>
Date: Thu, 20 Apr 2023 11:31:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 62966 in the body.
You can then email your comments to 62966 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#62966; Package
guix-patches.
(Thu, 20 Apr 2023 11:31:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Saku Laesvuori <saku <at> laesvuori.fi>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Thu, 20 Apr 2023 11:31:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Add a new 'proxy' field to openssh-host to allow ProxyCommand or
ProxyJump, but not both, to be configured. Configuring both would cause
the serialization order to determine which one is used. Deprecate the
'proxy-command' field because the 'proxy' field replaces it.
* gnu/home/services/ssh.scm (proxy-jump->string,
proxy-command-or-jump-list?, serialize-proxy-command-or-jump-list,
sanitize-proxy-command): New procedure.
(proxy-jump, proxy-command): New record type.
(openssh-host)[proxy-command]: Mark field as deprecated because OpenSSH
can't have ProxyCommand and ProxyJump configured at the same time.
* doc/guix.texi (Secure Shell): Update to match the changes to the
service.
---
doc/guix.texi | 29 ++++++++++++++---
gnu/home/services/ssh.scm | 65 ++++++++++++++++++++++++++++++++++++++-
2 files changed, 89 insertions(+), 5 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index adb1975935..da25bba770 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42618,10 +42618,31 @@ machine.
@item @code{compression?} (default: @code{#f}) (type: boolean)
Whether to compress data in transit.
-@item @code{proxy-command} (type: maybe-string)
-The command to use to connect to the server. As an example, a command
-to connect via an HTTP proxy at 192.0.2.0 would be: @code{"nc -X connect
--x 192.0.2.0:8080 %h %p"}.
+@item @code{proxy} (type: maybe-proxy-command-or-jump-list)
+The command to use to connect to the server or a list of SSH hosts to
+jump through before connecting to the server. The field may be set to either a
+@code{proxy-command} or a list of @code{proxy-jump} records.
+
+As an example, a @code{proxy-command} to connect via an HTTP proxy at 192.0.2.0
+would be constructed with: @code{(proxy-command "nc -X connect -x
+192.0.2.0:8080 %h %p")}.
+
+@deftp {Data Type} proxy-jump
+Available @code{proxy-jump} fields are:
+
+@table @asis
+@item @code{user} (type: maybe-string)
+User name on the remote host.
+
+@item @code{host-name} (type: string)
+Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}.
+
+@item @code{port} (type: maybe-natural-number)
+TCP port number to connect to.
+
+@end table
+
+@end deftp
@item @code{host-key-algorithms} (type: maybe-string-list)
The list of accepted host key algorithms---e.g.,
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 01917a29cd..6aeb6ad5a7 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -20,6 +20,7 @@
(define-module (gnu home services ssh)
#:use-module (guix gexp)
#:use-module (guix records)
+ #:use-module (guix deprecation)
#:use-module (guix diagnostics)
#:use-module (guix i18n)
#:use-module (gnu services)
@@ -32,6 +33,8 @@ (define-module (gnu home services ssh)
#:autoload (gnu packages base) (glibc-utf8-locales)
#:use-module (gnu packages ssh)
#:use-module (srfi srfi-1)
+ #:use-module (srfi srfi-9)
+ #:use-module (srfi srfi-9 gnu)
#:use-module (srfi srfi-34)
#:use-module (srfi srfi-35)
#:use-module (ice-9 match)
@@ -55,6 +58,12 @@ (define-module (gnu home services ssh)
openssh-host-host-key-algorithms
openssh-host-accepted-key-types
openssh-host-extra-content
+ proxy-jump
+ proxy-jump-host-name
+ proxy-jump-port
+ proxy-jump-user
+ proxy-command
+ proxy-command->string
home-openssh-service-type
home-ssh-agent-service-type))
@@ -114,6 +123,54 @@ (define (serialize-string-list field lst)
(define-maybe string-list)
+(define-record-type <proxy-command>
+ (proxy-command command)
+ proxy-command?
+ (command proxy-command->string))
+
+(set-record-type-printer! <proxy-command>
+ (lambda (obj port)
+ (format port "#<proxy-command ~s>" (proxy-command->string obj))))
+
+(define-configuration/no-serialization proxy-jump
+ (user
+ maybe-string
+ "User name on the remote host.")
+ (host-name
+ (string)
+ "Host name---e.g., @code{foo.example.org} or @code{192.168.1.2}.")
+ (port
+ maybe-natural-number
+ "TCP port number to connect to."))
+
+(define (proxy-jump->string proxy-jump)
+ (match-record proxy-jump <proxy-jump>
+ (host-name user port)
+ (string-append
+ (if (maybe-value-set? user) (string-append user "@") "")
+ host-name
+ (if (maybe-value-set? port) (string-append ":" (number->string port)) ""))))
+
+(define (proxy-command-or-jump-list? x)
+ (or (proxy-command? x)
+ (and (list? x)
+ (every proxy-jump? x))))
+
+(define (serialize-proxy-command-or-jump-list field value)
+ (if (proxy-command? value)
+ (serialize-string 'proxy-command (proxy-command->string value))
+ (serialize-string-list 'proxy-jump (map proxy-jump->string value))))
+
+(define-maybe proxy-command-or-jump-list)
+
+(define (sanitize-proxy-command properties)
+ (lambda (value)
+ (when (maybe-value-set? value)
+ (warn-about-deprecation 'proxy-command properties #:replacement 'proxy))
+ (unless (maybe-string? value)
+ (configuration-field-error (source-properties->location properties) 'proxy-command value))
+ value))
+
(define-configuration openssh-host
(name
(string)
@@ -155,7 +212,13 @@ (define-configuration openssh-host
maybe-string
"The command to use to connect to the server. As an example, a command
to connect via an HTTP proxy at 192.0.2.0 would be: @code{\"nc -X
-connect -x 192.0.2.0:8080 %h %p\"}.")
+connect -x 192.0.2.0:8080 %h %p\"}. Using 'proxy-command' is deprecated, use
+'proxy' instead."
+ (sanitizer (sanitize-proxy-command (current-source-location))))
+ (proxy
+ maybe-proxy-command-or-jump-list
+ "The command to use to connect to the server or a list of SSH hosts to jump
+through before connecting to the server.")
(host-key-algorithms
maybe-string-list
"The list of accepted host key algorithms---e.g.,
base-commit: a9f4b6ecd00112ae4fb04dfbe0f9cc86b042dbc5
--
2.39.2
Information forwarded
to
guix-patches <at> gnu.org:
bug#62966; Package
guix-patches.
(Thu, 20 Apr 2023 11:33:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 62966 <at> debbugs.gnu.org (full text, mbox):
* doc/guix.texi (Secure Shell): Update openssh-host documentation to
match the code.
---
doc/guix.texi | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index da25bba770..10e2acc434 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -42589,10 +42589,10 @@ Name of this host declaration.
@item @code{host-name} (type: maybe-string)
Host name---e.g., @code{"foo.example.org"} or @code{"192.168.1.2"}.
-@item @code{address-family} (type: address-family)
+@item @code{address-family} (type: maybe-address-family)
Address family to use when connecting to this host: one of
-@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only), or
-@code{*unspecified*} (allowing any address family).
+@code{AF_INET} (for IPv4 only), @code{AF_INET6} (for IPv6 only).
+Additionally, the field can be left unset to allow any address family.
@item @code{identity-file} (type: maybe-string)
The identity file to use---e.g., @code{"/home/charlie/.ssh/id_ed25519"}.
--
2.39.2
Reply sent
to
Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility.
(Fri, 21 Apr 2023 15:16:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Saku Laesvuori <saku <at> laesvuori.fi>:
bug acknowledged by developer.
(Fri, 21 Apr 2023 15:16:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 62966-done <at> debbugs.gnu.org (full text, mbox):
Hi Saku,
Saku Laesvuori <saku <at> laesvuori.fi> skribis:
> Add a new 'proxy' field to openssh-host to allow ProxyCommand or
> ProxyJump, but not both, to be configured. Configuring both would cause
> the serialization order to determine which one is used. Deprecate the
> 'proxy-command' field because the 'proxy' field replaces it.
>
> * gnu/home/services/ssh.scm (proxy-jump->string,
> proxy-command-or-jump-list?, serialize-proxy-command-or-jump-list,
> sanitize-proxy-command): New procedure.
> (proxy-jump, proxy-command): New record type.
> (openssh-host)[proxy-command]: Mark field as deprecated because OpenSSH
> can't have ProxyCommand and ProxyJump configured at the same time.
> * doc/guix.texi (Secure Shell): Update to match the changes to the
> service.
Nice improvement.
> * doc/guix.texi (Secure Shell): Update openssh-host documentation to
> match the code.
Applied, thanks!
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Sat, 20 May 2023 11:24:10 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 33 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.