Open lilyball opened 5 years ago
memberbetty
commented
5 years ago I think such features should be done via --with-proprietrary-apple-extension-use-keychain or something that will immediately crash when run on Linux. Or, more in general to make it statically decidable that code is not cross-platform.
Unmodified, I am against this feature request.
matthewbauer
commented
5 years ago We shouldn’t have two versions of openssh otherwise it would be much harder to keep up with security patches and stuff. But we can patch it like macports does:
I think making it default is reasonable though, macOS users would expect it to be available even if it won’t work on other versions.
matthewbauer
commented
5 years ago Ugh... it doesn't apply for openssh 7.9p1:
https://github.com/macports/macports-ports/blob/master/net/openssh/Portfile#L144
stale[bot]
commented
4 years ago Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:
lilyball
commented
4 years ago I still care about this. As a macOS user my SSH credentials are stored in the keychain, and I'd like things installed via Nix that use SSH to be able to integrate with my existing credentials.
uri-canva
commented
4 years ago uri-canva
commented
4 years ago The version of openssh on master is 8.1p1 or 8.2p1, so the patch might work now.
uri-canva
commented
4 years ago Ugh... it doesn't apply for openssh 7.9p1:
https://github.com/macports/macports-ports/blob/master/net/openssh/Portfile#L144
In case anyone else is confused by that, here's the link to the commit that was master at the time that comment was posted, this TODO has been addressed now.
https://github.com/macports/macports-ports/blob/fb2b01164dc3784d68d6442687752eea6df1caa7/net/openssh/Portfile#L144
slonik-az
commented
3 years ago [nixpkgs-20.09] OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020 does not support Apple specific UseKeychain configuration parameter. Breaks everything for me.
uri-canva
commented
3 years ago I'm using this workaround in the meantime:
IgnoreUnknown UseKeychain
UseKeychain yes
xpe
commented
3 years ago @uri-canva The primary point of this GitHub issue is to suggest that Nix use the Apple-patched OpenSSH so that macOS Keychain integration works.
Adding the IgnoreUnknown line does not fix the core problem (lack of Keychain integration), not even temporarily. So, since I can be pedantic, I wouldn't call it a workaround (which I define as a 'temporary fix' -- often requiring a person to hold their nose).
lilyball
commented
3 years ago @xpe It’s a workaround for the fact that the lack of support for UseKeychain breaks everything. It’s a way to ensure your .ssh/config can be read by Nix OpenSSH while still benefiting from keychain integration when using the system-provided SSH.
Also on the topic of workarounds, I got Mosh to work by overriding it to use a fake ssh package that just provides a symlink to the system ssh (as Mosh only invokes the binary). This doesn’t help with anything else that uses OpenSSH though.
xpe
commented
3 years ago @lilyball wrote:
It’s a workaround for the fact that the lack of support for UseKeychain breaks everything. It’s a way to ensure your .ssh/config can be read by Nix OpenSSH while still benefiting from keychain integration when using the system-provided SSH.
I understand what you are saying. Still, we are writing these comments in the context of this particular ticket, whose purpose is to request that Nix packages make a change to support macOS Keychain integration.
Definitions aside, let's see if we can solve the core problem.
uri-canva
commented
2 years ago @toonn wrote:
@uri-canva, currently OpenSSH is not built as part of the Apple open source releases. I'm also not sure that would be desirable given how long the SDK/open source releases can lag on the latest release of macOS and I suppose this would apply to OpenSSH as well, AFAIK Apple doesn't update the open source releases for previous versions of macOS much?
https://github.com/NixOS/nixpkgs/issues/15686#issuecomment-1009965324
uri-canva
commented
2 years ago According to https://github.com/macports/macports-ports/pull/9451 upstream openssh 8.4p1 supports apple keychain both macports and brew have now dropped keychain support in their openssh packages.
lockejan
commented
2 years ago What about having an additional ssh derivation like the one including gssapi ?
tjni
commented
2 years ago I'm willing to work on the technical problem of maintaining a patch to add this support to nixpkg's OpenSSH. Given the attitude of Homebrew and Macports, what's our temperature for adding this to all Darwin OpenSSH packages?
I ran into this when trying to switch to git with send-email support. In case this helps someone, the home-manager docs (at this time) say to use pkgs.gitFull, but I didn't realize that this changes git to use nixpkg's openssh. I was able to work around this by building a custom version of git:
pkgs.git.override {
sendEmailSupport = true;
withSsh = !pkgs.stdenv.isDarwin;
}
Issue description
Apple ships a patched version of ssh on its system to add a
UseKeychainconfig directive. Apple also makes the patched source available at opensource.apple.com, and the version for macOS 10.14.1 is available as OpenSSH-220.220.4 (I don't know what the version numbering here means).It would be great if Nix could use this patched version when compiling for Darwin, so that way my existing
~/.ssh/configwill continue to work and e.g. I can use Mosh or anything else that happens to depend onopenssh.CC @eelco @aneeshusa