Skip to content

Openssh

services.openssh.allowSFTP

Whether to enable the SFTP subsystem in the SSH daemon. This enables the use of commands such as {command}sftp and {command}sshfs.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.authorizedKeysCommand

Specifies a program to be used to look up the user's public keys. The program must be owned by root, not writable by group or others and specified by an absolute path.

Type: string

Default

"none"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.authorizedKeysCommandUser

Specifies the user under whose account the AuthorizedKeysCommand is run. It is recommended to use a dedicated user that has no other role on the host than running authorized keys commands.

Type: string

Default

"nobody"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.authorizedKeysFiles

Specify the rules for which files to read on the host.

This is an advanced option. If you're looking to configure user keys, you can generally use or .

These are paths relative to the host root file system or home directories and they are subject to certain token expansion rules. See AuthorizedKeysFile in man sshd_config for details.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.authorizedKeysInHomedir

Enables the use of the ~/.ssh/authorized_keys file.

Otherwise, the only files trusted by default are those in /etc/ssh/authorized_keys.d, i.e. SSH keys from .

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.banner

Message to display to the remote user before authentication is allowed.

Type: null or strings concatenated with "\n"

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.enable

Whether to enable the OpenSSH secure shell daemon, which allows secure remote logins.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.extraConfig

Verbatim contents of {file}sshd_config. Type: strings concatenated with "\n"

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.hostKeys

NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See {manpage}ssh-keygen(1) for supported types and sizes.

Type: list of (attribute set)

Default

[{bits = 4096;path = "/etc/ssh/ssh_host_rsa_key";type = "rsa";}{path = "/etc/ssh/ssh_host_ed25519_key";type = "ed25519";}]

Example

[{bits = 4096;openSSHFormat = true;path = "/etc/ssh/ssh_host_rsa_key";rounds = 100;type = "rsa";}{comment = "key comment";path = "/etc/ssh/ssh_host_ed25519_key";rounds = 100;type = "ed25519";}]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.knownHosts

Alias of {option}programs.ssh.knownHosts. Type: attribute set of (submodule)

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.knownHosts.<name>.certAuthority

This public key is an SSH certificate authority, rather than an individual host's key.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

services.openssh.knownHosts.<name>.extraHostNames

A list of additional host names and/or IP numbers used for accessing the host's ssh service. This list is ignored if hostNames is set explicitly.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

services.openssh.knownHosts.<name>.hostNames

A list of host names and/or IP numbers used for accessing the host's ssh service. This list includes the name of the containing knownHosts attribute by default for convenience. If you wish to configure multiple host keys for the same host use multiple knownHosts entries with different attribute names and the same hostNames list.

Type: list of string

Default

[ name ] ++ config.services.openssh.knownHosts.<name>.extraHostNames

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

services.openssh.knownHosts.<name>.publicKey

The public key data for the host. You can fetch a public key from a running SSH server with the {command}ssh-keyscan command. The public key should not include any host names, only the key type and the key itself.

Type: null or string

Default

null

Example

"ecdsa-sha2-nistp521 AAAAE2VjZHN...UEPg=="

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

services.openssh.knownHosts.<name>.publicKeyFile

The path to the public key file for the host. The public key file is read at build time and saved in the Nix store. You can fetch a public key file from a running SSH server with the {command}ssh-keyscan command. The content of the file should follow the same format as described for the publicKey option. Only a single key is supported. If a host has multiple keys, use {option}programs.ssh.knownHostsFiles instead.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/programs/ssh.nix

services.openssh.listenAddresses

List of addresses and ports to listen on (ListenAddress directive in config). If port is not specified for address sshd will listen on all ports specified by ports option. NOTE: this will override default listening on all local addresses and port 22. NOTE: setting this option won't automatically enable given ports in firewall configuration.

Type: list of (submodule)

Default

[ ]

Example

[{addr = "192.168.3.1";port = 22;}{addr = "0.0.0.0";port = 64022;}]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.listenAddresses.*.addr

Host, IPv4 or IPv6 address to listen to.

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.listenAddresses.*.port

Port to listen to.

Type: null or signed integer

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.moduliFile

Path to moduli file to install in /etc/ssh/moduli. If this option is unset, then the moduli file shipped with OpenSSH will be used.

Type: path

Example

"/etc/my-local-ssh-moduli;"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.openFirewall

Whether to automatically open the specified ports in the firewall.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.package

OpenSSH package to use for sshd. Type: package

Default

programs.ssh.package

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.ports

Specifies on which ports the SSH daemon listens.

Type: list of 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

[22]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings

Configuration for sshd_config(5). Type: attribute set of (atom (null, bool, int, float or string))

Default

{ }

Example

{UseDns = true;PasswordAuthentication = false;}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.AllowGroups

If specified, login is allowed only for users part of the listed groups. See {manpage}sshd_config(5) for details.

Type: null or (list of string)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.AllowUsers

If specified, login is allowed only for the listed users. See {manpage}sshd_config(5) for details.

Type: null or (list of string)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.AuthorizedPrincipalsFile

Specifies a file that lists principal names that are accepted for certificate authentication. The default is "none", i.e. not to use a principals file.

Type: null or string

Default

"none"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.Ciphers

Allowed ciphers

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type: null or (list of string)

Default

["chacha20-poly1305@openssh.com""aes256-gcm@openssh.com""aes128-gcm@openssh.com""aes256-ctr""aes192-ctr""aes128-ctr"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.DenyGroups

If specified, login is denied for all users part of the listed groups. Takes precedence over . See {manpage}sshd_config(5) for details.

Type: null or (list of string)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.DenyUsers

If specified, login is denied for all listed users. Takes precedence over . See {manpage}sshd_config(5) for details.

Type: null or (list of string)

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.GatewayPorts

Specifies whether remote hosts are allowed to connect to ports forwarded for the client. See {manpage}sshd_config(5).

Type: null or string

Default

"no"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.KbdInteractiveAuthentication

Specifies whether keyboard-interactive authentication is allowed.

Type: null or boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.KexAlgorithms

Allowed key exchange algorithms

Uses the lower bound recommended in both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type: null or (list of string)

Default

["sntrup761x25519-sha512@openssh.com""curve25519-sha256""curve25519-sha256@libssh.org""diffie-hellman-group-exchange-sha256"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.LogLevel

Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level violates the privacy of users and is not recommended.

Type: null or one of "QUIET", "FATAL", "ERROR", "INFO", "VERBOSE", "DEBUG", "DEBUG1", "DEBUG2", "DEBUG3"

Default

"INFO"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.Macs

Allowed MACs

Defaults to recommended settings from both https://stribika.github.io/2015/01/04/secure-secure-shell.html and https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67

Type: null or (list of string)

Default

["hmac-sha2-512-etm@openssh.com""hmac-sha2-256-etm@openssh.com""umac-128-etm@openssh.com"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.PasswordAuthentication

Specifies whether password authentication is allowed.

Type: null or boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.PermitRootLogin

Whether the root user can login using ssh.

Type: null or one of "yes", "without-password", "prohibit-password", "forced-commands-only", "no"

Default

"prohibit-password"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.PrintMotd

Whether to enable printing /etc/motd when a user logs in interactively. Type: null or boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.StrictModes

Whether sshd should check file modes and ownership of directories

Type: null or boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.UseDns

Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. If this option is set to no (the default) then only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives.

Type: null or boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.UsePAM

Whether to enable PAM authentication. Type: null or boolean

Default

true

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.settings.X11Forwarding

Whether to allow X11 connections to be forwarded.

Type: null or boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.sftpFlags

Commandline flags to add to sftp-server.

Type: list of string

Default

[ ]

Example

["-f AUTHPRIV""-l INFO"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.sftpServerExecutable

The sftp server executable. Can be a path or "internal-sftp" to use the sftp server built into the sshd binary.

Type: string

Example

"internal-sftp"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix

services.openssh.startWhenNeeded

If set, {command}sshd is socket-activated; that is, instead of having it permanently running as a daemon, systemd will start an instance for each incoming connection.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/ssh/sshd.nix