[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#63786] [PATCH] home: services: ssh: Allow unset boolean
From: |
Andrew Tropin |
Subject: |
[bug#63786] [PATCH] home: services: ssh: Allow unset boolean |
Date: |
Mon, 12 Jun 2023 08:58:18 +0400 |
On 2023-06-11 10:49, Efraim Flashner wrote:
> options in ssh-config.
> Reply-To:
> X-PGP-Key-ID: 0x41AAE7DCCA3D8351
> X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc
> X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
>
> For some reason this didn't get sent to the bug.
>
> --
> Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
> GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
> Confidentiality cannot be guaranteed on emails sent or received unencrypted
> From: Efraim Flashner <efraim@flashner.co.il>
> Subject: Re: bug#63786: [PATCH] home: services: ssh: Allow unset boolean
> options in ssh-config.
> To: Ludovic Courtès <ludo@gnu.org>
> Date: Fri, 09 Jun 2023 16:24:26 +0300
>
> On Thu, Jun 08, 2023 at 10:57:37PM +0200, Ludovic Courtès wrote:
>> Hello!
>>
>> Efraim Flashner <efraim@flashner.co.il> skribis:
>>
>> >>From man 5 ssh_config:
>> > Unless noted otherwise, for each parameter, the first obtained value
>> > will be used.
>> >
>> > We want to allow falling through to the first actual user defined value.
>>
>> What do you mean by “first actual user-defined value”? This service is
>> what generates all the “user-defined values”, no?
>
> Right now my ~/.ssh/config has
>
> Host do1-tor
> Hostname <insert tor address>
> IdentityFile ~/.ssh/id_ed25519
> Host *.onion *-tor
> #ProxyCommand
> /gnu/store/dgvybjrj154f4cyfbkrbqyirv5gd8ic2-netcat-openbsd-1.218-2/bin/nc -X
> 5 -x localhost:9050 %h %p
> ProxyCommand /home/efraim/bin/openbsd-netcat -X 5 -x localhost:9050 %h %p
> ControlPath ${XDG_RUNTIME_DIR}/%r@%k-%p
> Compression yes
>
> The way the ssh config is read is that `ssh do1-tor` first matches
> do1-tor and then also matches *-tor, so I can factor our ProxyCommand,
> ControlPath and Compression for use with the other *-tor Hosts I have
> listed.
>
> This configuration could be
> (openssh-host (name "do1-tor")
> (host-name <insert tor address>)
> (identity-file "~/.ssh/id_ed25519"))
> (openssh-host (name "*-onion *-tor)
> (compression? #t)
> (proxy
> (proxy-command ...))
> (extra-content " ControlPath ...\n"))
>
> If this is all I enter, then my .ssh/config is generated like this:
>
> Host do1-tor
> Hostname <insert tor address>
> IdentityFile ~/.ssh/id_ed25519
> ForwardX11 no
> ForwardX11Trusted no
> ForwardAgent no
> Compression no
> Host *.onion *-tor
> ForwardX11 no
> ForwardX11Trusted no
> ForwardAgent no
> Compression yes
> ProxyCommand /home/efraim/bin/openbsd-netcat -X 5 -x localhost:9050 %h %p
> ControlPath ${XDG_RUNTIME_DIR}/%r@%k-%p
>
> Compression might default to no, but in my hand crafted .ssh/config I've
> set it to yes for *-tor Hosts. Forward* might all default to no, and
> it's not set anywhere, but being explicit about the default here could
> cause problems if I want X11 forwarding across an entire range of hosts,
> not just individual ones.
>
>> Overall my take is that default values should be specified in our code
>> (as default values of configuration record fields) rather than left
>> unspecified. I think this is clearer and more predictable than relying
>> on upstream’s default values.
>
> In general this is a good plan, but here it actually interferes with the
> expected configuration output. 'Fall through' is the default, not the
> actual default for each of the individual configuration options. They
> only get set if that field isn't set by any of the possibly multiple
> configuration matches set it first.
A few years ago, when we were implementing the first version of ssh home
service in rde we went a slightly different way and didn't hardcode any
record fields and let user set an alist of key/value pairs:
https://git.sr.ht/~abcdw/rde/tree/19c2d2f0996624eea8b7a87b14bbc31e4a9b943b/src/gnu/home-services/ssh.scm#L204
It's not a perfect solution either, but quite flexible. Also, it's
relatively easy to implement default values: we can provide
%default-host-options and ask people to do something like this on user
side configuration:
(merge %default-host-options '((compression . #f)))
Of course "asking people" won't work, so it's possible to set a default
value of options field to %default-host-options
https://git.sr.ht/~abcdw/rde/tree/19c2d2f0996624eea8b7a87b14bbc31e4a9b943b/src/gnu/home-services/ssh.scm#L100
and let people override it with '((compression . #f)) or enrich with
(merge %default-host-options '((compression . #f))).
It's not a proposal or something, just sharing how it's implemented in
rde.
P.S. Note that (gnu home-services *) modules are subject to deprecation
and when (rde home services ssh) appear, it will have a slightly
different interface.
--
Best regards,
Andrew Tropin
signature.asc
Description: PGP signature