diff options
| author | Jules Aguillon <jules@j3s.fr> | 2022-01-18 21:56:14 +0100 |
|---|---|---|
| committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2022-01-21 16:44:03 +0000 |
| commit | deb63b0aae130dd0b3ad9c2ae882f4bb31332cb1 (patch) | |
| tree | 1fcda076f9e7ee072a2077fa373db260a56885f2 | |
| parent | Merge pull request #156049 from NixOS/backport-155234-to-release-21.11 (diff) | |
| download | nixpkgs-deb63b0aae130dd0b3ad9c2ae882f4bb31332cb1.tar.gz | |
types.singleLineStr: strings that don't contain '\n'
Add a new type, inheriting 'types.str' but checking whether the value
doesn't contain any newline characters.
The motivation comes from a problem with the
'users.users.${u}.openssh.authorizedKeys' option.
It is easy to unintentionally insert a newline character at the end of a
string, or even in the middle, for example:
restricted_ssh_keys = command: keys:
let
prefix = ''
command="${command}",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding
'';
in map (key: "${prefix} ${key}") keys;
The 'prefix' string ends with a newline, which ends up in the middle of
a key entry after a few manipulations.
This is problematic because the key file is built by concatenating all
the keys with 'concatStringsSep "\n"', with result in two entries for
the faulty key:
''
command="...",options...
MY_KEY
''
This is hard to debug and might be dangerous. This is now caught at
build time.
(cherry picked from commit df590070b007b2cd2f64647b2780c903506aa21f)
| -rw-r--r-- | lib/types.nix | 7 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 2 |
2 files changed, 8 insertions, 1 deletions
diff --git a/lib/types.nix b/lib/types.nix index 244cbb6b5354..0e702fb2f2ed 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -300,6 +300,13 @@ rec { inherit (str) merge; }; + singleLineStr = mkOptionType { + name = "singleLineStr"; + description = "string that doesn't contain '\\n'"; + check = x: str.check x && !(lib.hasInfix "\n" x); + inherit (str) merge; + }; + strMatching = pattern: mkOptionType { name = "strMatching ${escapeNixString pattern}"; description = "string matching the pattern ${pattern}"; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 004b4f99670f..52a1982b3f0a 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -30,7 +30,7 @@ let options.openssh.authorizedKeys = { keys = mkOption { - type = types.listOf types.str; + type = types.listOf types.singleLineStr; default = []; description = '' A list of verbatim OpenSSH public keys that should be added to the |