nixos/ssh: disable authorizedKeysInHomedir by default (#309025)

2024-11-26 08:53:21 +00:00 · 2024-10-20 16:19:25 +00:00 · 2024-10-20 16:19:25 +00:00 · 06929a6fb0
commit 06929a6fb0
parent d4ba567f88 6c62fbf539
3 changed files with 29 additions and 6 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -397,6 +397,9 @@
    * from `/var/log/private/gns3` to `/var/log/gns3`
  and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).

+- The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless
+  `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards).
+
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
  [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
  before changing the package to `pkgs.stalwart-mail` in
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -108,6 +108,10 @@ let

  };

+  usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
+    lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
+  ));
+
  authKeysFiles = let
    mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
      mode = "0444";
@ -116,9 +120,6 @@ let
        ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
      '';
    };
-    usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
-      lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
-    ));
  in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);

  authPrincipalsFiles = let
@ -302,7 +303,8 @@ in

      authorizedKeysInHomedir = lib.mkOption {
        type = lib.types.bool;
-        default = true;
+        default = lib.versionOlder config.system.stateVersion "24.11";
+        defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
        description = ''
          Enables the use of the `~/.ssh/authorized_keys` file.

@ -544,6 +546,17 @@ in

  config = lib.mkIf cfg.enable {

+    warnings = lib.optional (with cfg; lib.all lib.id [
+      # ~/.ssh/authorized_keys is ignored and no custom file locations were set
+      (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
+      # no command provides authorized keys
+      (authorizedKeysCommand == "none")
+      # no users have keys in declarative configuration
+      (usersWithKeys == [])
+      # no authentication methods other than public keys are configured
+      ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
+    ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
+
    users.users.sshd =
      {
        isSystemUser = true;
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -14,7 +14,10 @@ in {
      { ... }:

      {
-        services.openssh.enable = true;
+        services.openssh = {
+          enable = true;
+          authorizedKeysInHomedir = true;
+        };
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.users.root.openssh.authorizedKeys.keys = [
@ -39,7 +42,11 @@ in {
      { ... }:

      {
-        services.openssh = { enable = true; startWhenNeeded = true; };
+        services.openssh = {
+          enable = true;
+          startWhenNeeded = true;
+          authorizedKeysInHomedir = true;
+        };
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.users.root.openssh.authorizedKeys.keys = [