From 6d985ef1744ba2d2c3eacf269af52bd3eaf58f93 Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Fri, 14 Jan 2022 21:59:11 +0100 Subject: [PATCH 1/3] openssh: Rename option, old option is deprecated upstream --- nixos/modules/services/networking/ssh/sshd.nix | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index f19624aba022..7bfc70050992 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -81,6 +81,7 @@ in imports = [ (mkAliasOptionModule [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ]) (mkAliasOptionModule [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ]) + (mkRenamedOptionModule [ "services" "openssh" "challengeResponseAuthentication" ] [ "services" "openssh" "kbdInteractiveAuthentication" ]) ]; ###### interface @@ -218,11 +219,11 @@ in ''; }; - challengeResponseAuthentication = mkOption { + kbdInteractiveAuthentication = mkOption { type = types.bool; default = true; description = '' - Specifies whether challenge/response authentication is allowed. + Specifies whether keyboard-interactive authentication is allowed. ''; }; @@ -534,7 +535,7 @@ in PermitRootLogin ${cfg.permitRootLogin} GatewayPorts ${cfg.gatewayPorts} PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"} - ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"} + KbdInteractiveAuthentication ${if cfg.kbdInteractiveAuthentication then "yes" else "no"} PrintMotd no # handled by pam_motd From 11b2191b74c0a8b6bf30fc1136033321a2ea1b96 Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Sat, 15 Jan 2022 13:51:28 +0100 Subject: [PATCH 2/3] openssh: Update tests to use new option name --- nixos/tests/borgbackup.nix | 2 +- nixos/tests/btrbk.nix | 2 +- nixos/tests/google-oslogin/server.nix | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/nixos/tests/borgbackup.nix b/nixos/tests/borgbackup.nix index cbb28689209b..d3cd6c66bfeb 100644 --- a/nixos/tests/borgbackup.nix +++ b/nixos/tests/borgbackup.nix @@ -106,7 +106,7 @@ in { services.openssh = { enable = true; passwordAuthentication = false; - challengeResponseAuthentication = false; + kbdInteractiveAuthentication = false; }; services.borgbackup.repos.repo1 = { diff --git a/nixos/tests/btrbk.nix b/nixos/tests/btrbk.nix index 2689bb66c63a..9f34f7dfbe38 100644 --- a/nixos/tests/btrbk.nix +++ b/nixos/tests/btrbk.nix @@ -53,7 +53,7 @@ import ./make-test-python.nix ({ pkgs, ... }: services.openssh = { enable = true; passwordAuthentication = false; - challengeResponseAuthentication = false; + kbdInteractiveAuthentication = false; }; services.btrbk = { extraPackages = [ pkgs.lz4 ]; diff --git a/nixos/tests/google-oslogin/server.nix b/nixos/tests/google-oslogin/server.nix index fdb7141da317..a0a3144ae69f 100644 --- a/nixos/tests/google-oslogin/server.nix +++ b/nixos/tests/google-oslogin/server.nix @@ -17,7 +17,7 @@ in { }; services.openssh.enable = true; - services.openssh.challengeResponseAuthentication = false; + services.openssh.kbdInteractiveAuthentication = false; services.openssh.passwordAuthentication = false; security.googleOsLogin.enable = true; From d851c11a9f15058c906af79ba0982b2faafef654 Mon Sep 17 00:00:00 2001 From: Daniel Frank Date: Sat, 15 Jan 2022 14:51:59 +0100 Subject: [PATCH 3/3] openssh: add release-notes entry for services.openssh.{challengeResponseAuthentication -> kbdInteractiveAuthentication} --- .../manual/from_md/release-notes/rl-2205.section.xml | 11 +++++++++++ nixos/doc/manual/release-notes/rl-2205.section.md | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index 874d68043f47..75efc4e20492 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -564,6 +564,17 @@ + + + Renamed option + services.openssh.challengeResponseAuthentication + to + services.openssh.kbdInteractiveAuthentication. + Reason is that the old name has been deprecated upstream. + Using the old option name will still work, but produce a + warning. + + diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 66a06794cebd..f0cab80e58c0 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -189,3 +189,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The `zrepl` package has been updated from 0.4.0 to 0.5: * The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. * A bug involving encrypt-on-receive has been fixed. Read the [zrepl documentation](https://zrepl.github.io/configuration/sendrecvoptions.html#job-recv-options-placeholder) and check the output of `zfs get -r encryption,zrepl:placeholder PATH_TO_ROOTFS` on the receiver. + +- Renamed option `services.openssh.challengeResponseAuthentication` to `services.openssh.kbdInteractiveAuthentication`. + Reason is that the old name has been deprecated upstream. + Using the old option name will still work, but produce a warning.