movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/sshd: Disable authorizedKeysInHomedir if stateVersion >= 24.11

Browse source 
Co-authored-by: Valentin Gagarin <valentin@gagarin.work>
This commit is contained in:
nicoo 2024-01-09 23:50:13 +00:00
parent c1c89b84e7
commit 1f08575e3a
3 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2411.section.md
View file

@ -390,6 +390,9 @@
* from `/var/log/private/gns3` to `/var/log/gns3` * from `/var/log/private/gns3` to `/var/log/gns3`
and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`). and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
- The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless
`services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards).
- Legacy package `stalwart-mail_0_6` was dropped, please note the - Legacy package `stalwart-mail_0_6` was dropped, please note the
[manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
before changing the package to `pkgs.stalwart-mail` in before changing the package to `pkgs.stalwart-mail` in

3
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -302,7 +302,8 @@ in
authorizedKeysInHomedir = lib.mkOption { authorizedKeysInHomedir = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = lib.versionOlder config.system.stateVersion "24.11";
defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
description = '' description = ''
Enables the use of the `~/.ssh/authorized_keys` file. Enables the use of the `~/.ssh/authorized_keys` file.

11
nixos/tests/openssh.nix
View file

@ -14,7 +14,10 @@ in {
{ ... }: { ... }:
{ {
services.openssh.enable = true; services.openssh = {
enable = true;
authorizedKeysInHomedir = true;
};
security.pam.services.sshd.limits = security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
@ -39,7 +42,11 @@ in {
{ ... }: { ... }:
{ {
services.openssh = { enable = true; startWhenNeeded = true; }; services.openssh = {
enable = true;
startWhenNeeded = true;
authorizedKeysInHomedir = true;
};
security.pam.services.sshd.limits = security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [