Open lilyball opened 5 years ago
I think such features should be done via --with-proprietrary-apple-extension-use-keychain
or something that will immediately crash when run on Linux. Or, more in general to make it statically decidable that code is not cross-platform.
Unmodified, I am against this feature request.
We shouldn’t have two versions of openssh otherwise it would be much harder to keep up with security patches and stuff. But we can patch it like macports does:
I think making it default is reasonable though, macOS users would expect it to be available even if it won’t work on other versions.
Ugh... it doesn't apply for openssh 7.9p1:
https://github.com/macports/macports-ports/blob/master/net/openssh/Portfile#L144
Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
I still care about this. As a macOS user my SSH credentials are stored in the keychain, and I'd like things installed via Nix that use SSH to be able to integrate with my existing credentials.
The version of openssh on master is 8.1p1 or 8.2p1, so the patch might work now.
Ugh... it doesn't apply for openssh 7.9p1:
https://github.com/macports/macports-ports/blob/master/net/openssh/Portfile#L144
In case anyone else is confused by that, here's the link to the commit that was master
at the time that comment was posted, this TODO has been addressed now.
https://github.com/macports/macports-ports/blob/fb2b01164dc3784d68d6442687752eea6df1caa7/net/openssh/Portfile#L144
[nixpkgs-20.09] OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020 does not support Apple specific UseKeychain
configuration parameter. Breaks everything for me.
I'm using this workaround in the meantime:
IgnoreUnknown UseKeychain
UseKeychain yes
@uri-canva The primary point of this GitHub issue is to suggest that Nix use the Apple-patched OpenSSH so that macOS Keychain integration works.
Adding the IgnoreUnknown
line does not fix the core problem (lack of Keychain integration), not even temporarily. So, since I can be pedantic, I wouldn't call it a workaround (which I define as a 'temporary fix' -- often requiring a person to hold their nose).
@xpe It’s a workaround for the fact that the lack of support for UseKeychain
breaks everything. It’s a way to ensure your .ssh/config
can be read by Nix OpenSSH while still benefiting from keychain integration when using the system-provided SSH.
Also on the topic of workarounds, I got Mosh to work by overriding it to use a fake ssh
package that just provides a symlink to the system ssh
(as Mosh only invokes the binary). This doesn’t help with anything else that uses OpenSSH though.
@lilyball wrote:
It’s a workaround for the fact that the lack of support for UseKeychain breaks everything. It’s a way to ensure your .ssh/config can be read by Nix OpenSSH while still benefiting from keychain integration when using the system-provided SSH.
I understand what you are saying. Still, we are writing these comments in the context of this particular ticket, whose purpose is to request that Nix packages make a change to support macOS Keychain integration.
Definitions aside, let's see if we can solve the core problem.
@toonn wrote:
@uri-canva, currently OpenSSH is not built as part of the Apple open source releases. I'm also not sure that would be desirable given how long the SDK/open source releases can lag on the latest release of macOS and I suppose this would apply to OpenSSH as well, AFAIK Apple doesn't update the open source releases for previous versions of macOS much?
https://github.com/NixOS/nixpkgs/issues/15686#issuecomment-1009965324
According to https://github.com/macports/macports-ports/pull/9451 upstream openssh 8.4p1 supports apple keychain both macports and brew have now dropped keychain support in their openssh packages.
What about having an additional ssh derivation like the one including gssapi ?
I'm willing to work on the technical problem of maintaining a patch to add this support to nixpkg's OpenSSH. Given the attitude of Homebrew and Macports, what's our temperature for adding this to all Darwin OpenSSH packages?
I ran into this when trying to switch to git
with send-email support. In case this helps someone, the home-manager docs (at this time) say to use pkgs.gitFull
, but I didn't realize that this changes git
to use nixpkg's openssh
. I was able to work around this by building a custom version of git
:
pkgs.git.override {
sendEmailSupport = true;
withSsh = !pkgs.stdenv.isDarwin;
}
Issue description
Apple ships a patched version of ssh on its system to add a
UseKeychain
config directive. Apple also makes the patched source available at opensource.apple.com, and the version for macOS 10.14.1 is available as OpenSSH-220.220.4 (I don't know what the version numbering here means).It would be great if Nix could use this patched version when compiling for Darwin, so that way my existing
~/.ssh/config
will continue to work and e.g. I can use Mosh or anything else that happens to depend onopenssh
.CC @eelco @aneeshusa