ssh-agent: add agentPKCS11Whitelist option

If you want to be able to use OpenSC with ssh-agent, you need to be able to add it to the ssh-agent whitelist. This adds an option, agentPKCS11Whitelist, that exposes the option. Note that I currently work around this by injecting the parameter into the agentTimeout option: programs.ssh.agentTimeout = "1h -P ${pkgs.opensc}/lib/opensc-pkcs11.so"; but I feel that a proper option would be better :)
2025-01-08 06:28:50 +03:00 · 2019-10-14 20:45:28 +01:00 · 2019-10-14 20:45:28 +01:00 · 8120184bf1
commit 8120184bf1
parent 67effde499
1 changed files with 11 additions and 0 deletions
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -115,6 +115,16 @@ in
        '';
      };

+      agentPKCS11Whitelist = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        example = "\${pkgs.opensc}/lib/opensc-pkcs11.so";
+        description = ''
+          A pattern-list of acceptable paths for PKCS#11 shared libraries
+          that may be used with the -s option to ssh-add.
+        '';
+      };
+
      package = mkOption {
        type = types.package;
        default = pkgs.openssh;
@ -241,6 +251,7 @@ in
            ExecStart =
                "${cfg.package}/bin/ssh-agent " +
                optionalString (cfg.agentTimeout != null) ("-t ${cfg.agentTimeout} ") +
+                optionalString (cfg.agentPKCS11Whitelist != null) ("-P ${cfg.agentPKCS11Whitelist} ")
                "-a %t/ssh-agent";
            StandardOutput = "null";
            Type = "forking";