nix icon indicating copy to clipboard operation
nix copied to clipboard
verified publisher icon NixOS

Flake url fetcher does not respect ssh config matchBlocks from ~/.ssh/config

Open ParetoOptimalDev opened this issue 3 years ago • 4 comments

Describe the bug

Flake input urls like this:

git+ssh://my-github-host-with-ssh-key/NixOS/nix.git?ref=0.5-release

Used to work as of 2021-09 (last year), but at some point I believe a change was made. Maybe one that increased purity and made ~/.ssh/config get ignored perhaps?

In any case I now get:

ssh: Could not resolve hostname my-github-host-with-ssh-key: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
error: program 'git' failed with exit code 128
(use '--show-trace' to show detailed location information)

However that's not true if ~/.ssh/config is taken into account, proven by:

ssh -T my-github-host-with-ssh-key
Hi ParetoOptimalDev_WORK! You've successfully authenticated, but GitHub does not provide shell access.

The full ssh config I'm describing is:

Host my-github-host-with-ssh-key
  User git
  HostName github.com
  IdentityFile /run/agenix/work_ssh_private_key

Host *
  ForwardAgent no
  Compression no
  ServerAliveInterval 0
  ServerAliveCountMax 3
  HashKnownHosts no
  UserKnownHostsFile ~/.ssh/known_hosts
  ControlMaster no
  ControlPath ~/.ssh/master-%r@%n:%p
  ControlPersist no

Steps To Reproduce

Modify ssh.config to have:

Host my-github-host-with-ssh-key
  User git
  HostName github.com
  IdentityFile /path/to/your/private-key

Then add this as a flake input to some flake:

git+ssh://my-github-host-with-ssh-key/NixOS/nix.git?ref=0.5-release

and try nix build

Expected behavior

That flake input urls such as git+ssh://my-github-host-with-ssh-key/NixOS/nix.git?ref=0.5-release should respect ~/.ssh/config match blocks.

nix-env --version output

nix-env (Nix) 2.11.0

Additional Context

I originall thought this was an issue between different host architectures which would have been quite extraordinary, but it was "working" on one machine because the flake input was cached. The new machine I tried it on didn't have it cached and the coicidence that it was a different host architecture was just a red herring.

ParetoOptimalDev avatar Sep 18 '22 23:09 ParetoOptimalDev

This can be worked around by copying the ~/.ssh/config to /root/.ssh/config.

I suppose that means this was changed at some point to be done by the daemon since it worked for me at some point in the past?

ParetoOptimalDev avatar Sep 19 '22 00:09 ParetoOptimalDev

Just tried by adding

Host foo
  HostName github.com
  Use git

to my ~/.ssh/config and creating a flake with git+ssh://foo/nixos/nixpkgs as input and it worked just fine.

In your example, the private ssh key is managed by agenix, could it be that your user doesn't have access to it (would be strange since you seem to be able to directly ssh into it, but maybe something else is at work)

thufschmitt avatar Sep 19 '22 08:09 thufschmitt

Just tried by adding

Host foo
  HostName github.com
  Use git

to my ~/.ssh/config and creating a flake with git+ssh://foo/nixos/nixpkgs as input and it worked just fine.

In your example, the private ssh key is managed by agenix, could it be that your user doesn't have access to it (would be strange since you seem to be able to directly ssh into it, but maybe something else is at work)

Just double-checked and my agenix secret is owned by my user.

Weird you couldn't reproduce... actually what nix version are you using @thufschmitt ?

ParetoOptimalDev avatar Sep 19 '22 13:09 ParetoOptimalDev

Just double-checked and my agenix secret is owned by my user.

Mh… strange indeed then.

I've tried with both 2.9 and 2.11.0 and both work fine.

The exact setup I have is:

flake.nix:

{
  inputs.nixpkgs.url = "git+ssh://foo/nixos/nixpkgs";

  outputs = { self, nixpkgs }: {
    packages.x86_64-linux.default = nixpkgs.legacyPackages.x86_64-linux.hello;
  };
}

~/.ssh/config:

# A couple of unrelated host-specific stuff

Host foo
  HostName github.com
  User git

Host *
  ForwardAgent no
  Compression no
  ServerAliveInterval 0
  ServerAliveCountMax 3
  HashKnownHosts no
  UserKnownHostsFile ~/.ssh/known_hosts
  ControlMaster auto
  ControlPath ~/.ssh/master-%r@%n:%p
  ControlPersist no

Does this example work for you? Maybe there's something specific to your flake that confuses Nix? Or maybe it's specifically IdentityFile, although I don't see a reason why

If any case, can you also try with -vvvvv? (not that it gives a lot of infos, but still)

thufschmitt avatar Sep 19 '22 13:09 thufschmitt

I just used it to successfully access an enterprise on-premise GitLab server that's only available over SSH like this:

# flake.nix

{
  inputs.nixpkgs.url = "git+ssh://git@my-private-server/path/on/server/repo.git";

  ...
}

# ~/.ssh/config

Host my-private-server
   User myusername
   IdentityFile ~/.ssh/my-private-server-key-file

mtalexan avatar Dec 09 '22 01:12 mtalexan

I'm closing this because it's either:

  • fixed
  • user error
  • I don't remember enough about it and can't reproduce

ParetoOptimalDev avatar Dec 09 '22 02:12 ParetoOptimalDev