Ssh

`programs.ssh.agentPKCS11Whitelist`

A pattern-list of acceptable paths for PKCS#11 shared libraries that may be used with the -s option to ssh-add.

Type: null or string

Default

null

Example

"${pkgs.opensc}/lib/opensc-pkcs11.so"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.agentTimeout`

How long to keep the private keys in memory. Use null to keep them forever.

Type: null or string

Default

null

Example

"1h"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.askPassword`

Program used by SSH to ask for passwords. Type: string

Default

"${pkgs.x11_ssh_askpass}/libexec/x11-ssh-askpass"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.ciphers`

Specifies the ciphers allowed and their order of preference.

Type: null or (list of string)

Default

null

Example

["chacha20-poly1305@openssh.com""aes256-gcm@openssh.com"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.enableAskPassword`

Whether to configure SSH_ASKPASS in the environment. Type: boolean

Default

config.services.xserver.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.extraConfig`

Extra configuration text prepended to {file}ssh_config. Other generated options will be added after a Host * pattern. See {manpage}ssh_config(5) for help.

Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.forwardX11`

Whether to request X11 forwarding on outgoing connections by default. If set to null, the option is not set at all. This is useful for running graphical programs on the remote machine and have them display to your local X11 server. Historically, this value has depended on the value used by the local sshd daemon, but there really isn't a relation between the two. Note: there are some security risks to forwarding an X11 connection. NixOS's X server is built with the SECURITY extension, which prevents some obvious attacks. To enable or disable forwarding on a per-connection basis, see the -X and -x options to ssh. The -Y option to ssh enables trusted forwarding, which bypasses the SECURITY extension.

Type: null or boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.hostKeyAlgorithms`

Specifies the host key algorithms that the client wants to use in order of preference.

Type: list of string

Default

[ ]

Example

["ssh-ed25519""ssh-rsa"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.kexAlgorithms`

Specifies the available KEX (Key Exchange) algorithms.

Type: null or (list of string)

Default

null

Example

["curve25519-sha256@libssh.org""diffie-hellman-group-exchange-sha256"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHosts`

The set of system-wide known SSH hosts. To make simple setups more convenient the name of an attribute in this set is used as a host name for the entry. This behaviour can be disabled by setting hostNames explicitly. You can use extraHostNames to add additional host names without disabling this default.

Type: attribute set of (submodule)

Default

{ }

Example

{myhost = {extraHostNames = [ "myhost.mydomain.com" "10.10.1.4" ];publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;};"myhost2.net".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIRuJ8p1Fi+m6WkHV0KWnRfpM1WxoW8XAS+XvsSKsTK";"myhost2.net/dsa" = {hostNames = [ "myhost2.net" ];publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;};}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHosts.<name>.certAuthority`

This public key is an SSH certificate authority, rather than an individual host's key.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHosts.<name>.extraHostNames`

A list of additional host names and/or IP numbers used for accessing the host's ssh service. This list is ignored if hostNames is set explicitly.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHosts.<name>.hostNames`

A list of host names and/or IP numbers used for accessing the host's ssh service. This list includes the name of the containing knownHosts attribute by default for convenience. If you wish to configure multiple host keys for the same host use multiple knownHosts entries with different attribute names and the same hostNames list.

Type: list of string

Default

[ ‹name› ] ++ config.programs.ssh.knownHosts.<name>.extraHostNames

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHosts.<name>.publicKey`

The public key data for the host. You can fetch a public key from a running SSH server with the {command}ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.

Type: null or string

Default

null

Example

"ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHosts.<name>.publicKeyFile`

The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the {command}ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option. Only a single key is supported. If a host has multiple keys, use {option}programs.ssh.knownHostsFiles instead.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.knownHostsFiles`

Files containing SSH host keys to set as global known hosts. /etc/ssh/ssh_known_hosts (which is generated by {option}programs.ssh.knownHosts) is always included.

Type: list of path

Default

[ ]

Example

[./known_hosts(writeText "github.keys" '' github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl '')]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.macs`

Specifies the MAC (message authentication code) algorithms in order of preference. The MAC algorithm is used for data integrity protection.

Type: null or (list of string)

Default

null

Example

["hmac-sha2-512-etm@openssh.com""hmac-sha1"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.package`

The openssh package to use. Type: package

Default

pkgs.openssh

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.pubkeyAcceptedKeyTypes`

Specifies the key lib.types that will be used for public key authentication.

Type: list of string

Default

[ ]

Example

["ssh-ed25519""ssh-rsa"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.setXAuthLocation`

Whether to set the path to {command}xauth for X11-forwarded connections. This causes a dependency on X11 packages.

Type: boolean

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

`programs.ssh.startAgent`

Whether to start the OpenSSH agent when you log in. The OpenSSH agent remembers private keys for you so that you don't have to type in passphrases every time you make an SSH connection. Use {command}ssh-add to add a key to the agent.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix