overlay: introduce openssh modifications to disable permission checking

Disable openssh's ~/.ssh/config permission checking. It's too pedantic that does not work with FHS-shim on NixOS. - Also removes the hack in home-manager configuration. Link: nix-community/home-manager#322
inclyc · Nov 30, 2024 · 6cac815 · 6cac815
1 parent fc66cba
commit 6cac815
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 5 deletions.
diff --git a/home/lyc/configurations/adrastea/default.nix b/home/lyc/configurations/adrastea/default.nix
@@ -32,9 +32,4 @@
     user = "zxy";
     port = 22;
   };
-
-  home.file.".ssh/config" = {
-    target = ".ssh/config_source";
-    onChange = ''cat .ssh/config_source > .ssh/config && chmod 400 .ssh/config'';
-  };
 }
diff --git a/overlays/modifications.nix b/overlays/modifications.nix
@@ -4,6 +4,7 @@ let
 in
 (lib.composeManyExtensions [
   (import ./chromium.nix)
+  (import ./openssh)
 ])
   final
   prev
diff --git a/overlays/openssh/default.nix b/overlays/openssh/default.nix
@@ -0,0 +1,9 @@
+/**
+  Disable "bad permission" checking in openssh.
+*/
+final: prev: {
+  openssh = prev.openssh.overrideAttrs (old: {
+    patches = (old.patches or [ ]) ++ [ ./no-check-permission.patch ];
+    doCheck = false;
+  });
+}
diff --git a/overlays/openssh/no-check-permission.patch b/overlays/openssh/no-check-permission.patch
@@ -0,0 +1,13 @@
+diff --git a/readconf.h b/readconf.h
+index ded13c9..94f489e 100644
+--- a/readconf.h
++++ b/readconf.h
+@@ -203,7 +203,7 @@ typedef struct {
+ #define SESSION_TYPE_SUBSYSTEM	1
+ #define SESSION_TYPE_DEFAULT	2
+
+-#define SSHCONF_CHECKPERM	1  /* check permissions on config file */
++#define SSHCONF_CHECKPERM	0  /* check permissions on config file */
+ #define SSHCONF_USERCONF	2  /* user provided config file not system */
+ #define SSHCONF_FINAL		4  /* Final pass over config, after canon. */
+ #define SSHCONF_NEVERMATCH	8  /* Match/Host never matches; internal only */