This is an automated email from the git hooks/post-receive script.
guix_mirror_bot pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new f86f25377a home: services: ssh: Add support for known_hosts2 file.
f86f25377a is described below
commit f86f25377a77e91a6c2734aa61d007559c8451f9
Author: Oleg Pykhalov <[email protected]>
AuthorDate: Sat Jan 31 18:35:02 2026 +0300
home: services: ssh: Add support for known_hosts2 file.
This commit adds a new 'known-hosts2' field to the OpenSSH home service
configuration, enabling a hybrid approach to SSH host key management.
* gnu/home/services/ssh.scm (<home-openssh-configuration>)[known-hosts2]:
New field.
(openssh-configuration-files): Generate ~/.ssh/known_hosts2 when specified.
* doc/guix.texi (Secure Shell): Document new 'known-hosts2' field.
Change-Id: I1d314706eaf6af9547833020abe857f4d8c44b86
---
doc/guix.texi | 15 ++++++++++++++-
gnu/home/services/ssh.scm | 8 ++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 0d57b516ba..aab2d8640c 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -56,7 +56,7 @@ Copyright @copyright{} 2017 Andy Wingo@*
Copyright @copyright{} 2017, 2018, 2019, 2020, 2023, 2024, 2025 Arun Isaac@*
Copyright @copyright{} 2017 nee@*
Copyright @copyright{} 2018 Rutger Helling@*
-Copyright @copyright{} 2018, 2021, 2023, 2025 Oleg Pykhalov@*
+Copyright @copyright{} 2018, 2021, 2023, 2025, 2026 Oleg Pykhalov@*
Copyright @copyright{} 2018 Mike Gerwitz@*
Copyright @copyright{} 2018 Pierre-Antoine Rouby@*
Copyright @copyright{} 2018, 2019 Gábor Boskovits@*
@@ -51750,6 +51750,19 @@ stateless: it can be replicated elsewhere or at
another point in time.
Preparing this list can be relatively tedious though, which is why
@code{*unspecified*} is kept as a default.
+@item @code{known-hosts2} (default: @code{*unspecified*})
+Either @code{*unspecified*} or a list of file-like objects containing
+known host keys. When specified, these files will be concatenated and
+installed as @file{~/.ssh/known_hosts2}. This allows for declaratively
+manage known hosts (stored in @file{known_hosts2}), while leaving the
+primary @file{known_hosts} file unmanaged by Guix.
+
+The SSH client by default reads both @code{known-hosts} and
+@code{known-hosts2} for host key verification. If only
+@code{known-hosts2} is specified in Guix Home, @file{known_hosts}
+remains as a regular file that SSH can modify, while @file{known_hosts2}
+contains the declaratively managed host keys.
+
@item @code{authorized-keys} (default: @code{#false})
The default @code{#false} value means: Leave any
@file{~/.ssh/authorized_keys} file alone. Otherwise, this must be a
diff --git a/gnu/home/services/ssh.scm b/gnu/home/services/ssh.scm
index 295707d59f..3f9d3cd338 100644
--- a/gnu/home/services/ssh.scm
+++ b/gnu/home/services/ssh.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2023 Janneke Nieuwenhuizen <[email protected]>
;;; Copyright © 2023 Nicolas Graves <[email protected]>
;;; Copyright © 2023 Efraim Flashner <[email protected]>
+;;; Copyright © 2026 Oleg Pykhalov <[email protected]>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -311,6 +312,8 @@ through before connecting to the server.")
(default #f))
(known-hosts home-openssh-configuration-known-hosts ;unspec | list of
file-like
(default *unspecified*))
+ (known-hosts2 home-openssh-configuration-known-hosts2 ;unspec | list of
file-like
+ (default *unspecified*))
(hosts home-openssh-configuration-hosts ;list of <openssh-host>
(default '()))
(add-keys-to-agent home-openssh-configuration-add-keys-to-agent ;string with
limited values
@@ -376,6 +379,7 @@ inserted after each of them."
(let* ((ssh-config (plain-file "ssh.conf"
(openssh-configuration->string config)))
(known-hosts (home-openssh-configuration-known-hosts config))
+ (known-hosts2 (home-openssh-configuration-known-hosts2 config))
(authorized-keys (home-openssh-configuration-authorized-keys config))
(authorized-keys (and
authorized-keys
@@ -387,6 +391,10 @@ inserted after each of them."
'()
`((".ssh/known_hosts"
,(file-join "known_hosts" known-hosts "\n"))))
+ ,@(if (unspecified? known-hosts2)
+ '()
+ `((".ssh/known_hosts2"
+ ,(file-join "known_hosts2" known-hosts2 "\n"))))
(".ssh/config" ,ssh-config))))
(define openssh-activation
