movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 20:25:32 +03:00
Code Issues Projects Releases Packages Wiki Activity

Revert "nixos/ssh: disable authorizedKeysInHomedir by default"

Browse source
This commit is contained in:
K900 2024-10-20 21:32:29 +03:00 committed by GitHub
parent feb995ade0
commit 099cde3a92
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 6 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

21
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -108,10 +108,6 @@ let
};
usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
));
authKeysFiles = let
mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
mode = "0444";
@ -120,6 +116,9 @@ let
${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
'';
};
usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
));
in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);
authPrincipalsFiles = let
@ -303,8 +302,7 @@ in
authorizedKeysInHomedir = lib.mkOption {
type = lib.types.bool;
default = lib.versionOlder config.system.stateVersion "24.11";
defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
default = true;
description = ''
Enables the use of the `~/.ssh/authorized_keys` file.
@ -546,17 +544,6 @@ in
config = lib.mkIf cfg.enable {
warnings = lib.optional (with cfg; lib.all lib.id [
# ~/.ssh/authorized_keys is ignored and no custom file locations were set
(authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
# no command provides authorized keys
(authorizedKeysCommand == "none")
# no users have keys in declarative configuration
(usersWithKeys == [])
# no authentication methods other than public keys are configured
((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
users.users.sshd =
{
isSystemUser = true;