movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-14 13:39:15 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/ssh: Make ~/.ssh/authorized_keys optional in AuthorizedKeysFiles (#279894)

Browse source
This commit is contained in:
nicoo 2024-05-06 01:11:03 +00:00 committed by GitHub
parent 853580ca64
commit db5f88c41a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
nixos/doc/manual/release-notes/rl-2405.section.md
View file

@ -533,6 +533,17 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list. - `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.
For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``; For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;
- `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is
added to `authorizedKeysFiles`.
::: {.note}
This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour.
This is expected to change in NixOS 24.11.
:::
::: {.warning}
Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access
and administer the system, before setting this option to `false`.
:::
- [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option. - [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option.
The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets. The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

13
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -296,6 +296,17 @@ in
''; '';
}; };
authorizedKeysInHomedir = mkOption {
type = types.bool;
default = true;
description = ''
Enables the use of the `~/.ssh/authorized_keys` file.
Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`,
*i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys).
'';
};
authorizedKeysCommand = mkOption { authorizedKeysCommand = mkOption {
type = types.str; type = types.str;
default = "none"; default = "none";
@ -635,7 +646,7 @@ in
# https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/10155
# https://github.com/NixOS/nixpkgs/pull/41745 # https://github.com/NixOS/nixpkgs/pull/41745
services.openssh.authorizedKeysFiles = services.openssh.authorizedKeysFiles =
[ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ];
services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";