openssh: move Kerberos support into a dedicated package

The `openssh` and `openssh_hpn` packages are now built without the Kerberos support by default in an effort to reduce the attack surface. The Kerberos support is likely used only by a fraction of the total users (I'm guessing mainly users integrating SSH in an Active Directory env) so dropping it should not impact too many users. It should also be noted that the Kerberos/GSSAPI auth is disabled by default in the configuration. `opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order to provide an easy migration path for users needing this support. The `openssh_gssapi` package is kept untouched.
2024-11-22 23:13:19 +00:00 · 2024-04-09 00:29:07 +02:00 · 2024-04-09 00:29:07 +02:00 · ef6fea2d86
commit ef6fea2d86
parent 282884daea
4 changed files with 23 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -16,6 +16,9 @@

 - `nginx` package no longer includes `gd` and `geoip` dependencies. For enabling it, override `nginx` package with the optionals `withImageFilter` and `withGeoIP`.

+- `openssh` and `openssh_hpn` are now compiled without Kerberos 5 / GSSAPI support in an effort to reduce the attack surface of the components for the majority of users. Users needing this support can
+  use the new `opensshWithKerberos` and `openssh_hpnWithKerberos` flavors (e.g. `programs.ssh.package = pkgs.openssh_gssapi`).
+
 - `nvimpager` was updated to version 0.13.0, which changes the order of user and
  nvimpager settings: user commands in `-c` and `--cmd` now override the
  respective default settings because they are executed later.
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -715,6 +715,10 @@ in

    assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
                    message = "cannot enable X11 forwarding without setting xauth location";}
+                  { assertion = (builtins.match "(.*\n)?(\t )*[Kk][Ee][Rr][Bb][Ee][Rr][Oo][Ss][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}") != null -> cfgc.package.withKerberos;
+                    message = "cannot enable Kerberos authentication without using a package with Kerberos support";}
+                  { assertion = (builtins.match "(.*\n)?(\t )*[Gg][Ss][Ss][Aa][Pp][Ii][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}") != null -> cfgc.package.withKerberos;
+                    message = "cannot enable GSSAPI authentication without using a package with Kerberos support";}
                  (let
                    duplicates =
                      # Filter out the groups with more than 1 element
--- a/pkgs/tools/networking/openssh/common.nix
+++ b/pkgs/tools/networking/openssh/common.nix
@ -22,7 +22,7 @@
 , pam
 , libredirect
 , etcDir ? null
-, withKerberos ? true
+, withKerberos ? false
 , withLdns ? true
 , libkrb5
 , libfido2
@ -177,9 +177,12 @@ stdenv.mkDerivation {
    "sysconfdir=\${out}/etc/ssh"
  ];

-  passthru.tests = {
-    borgbackup-integration = nixosTests.borgbackup;
-    openssh = nixosTests.openssh;
+  passthru = {
+    inherit withKerberos;
+    tests = {
+      borgbackup-integration = nixosTests.borgbackup;
+      openssh = nixosTests.openssh;
+    };
  };

  meta = with lib; {
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11344,12 +11344,21 @@ with pkgs;
    etcDir = "/etc/ssh";
  };

+  opensshWithKerberos = openssh.override {
+    withKerberos = true;
+  };
+
  openssh_hpn = opensshPackages.openssh_hpn.override {
    etcDir = "/etc/ssh";
  };

+  openssh_hpnWithKerberos = openssh_hpn.override {
+    withKerberos = true;
+  };
+
  openssh_gssapi = opensshPackages.openssh_gssapi.override {
    etcDir = "/etc/ssh";
+    withKerberos = true;
  };

  ssh-copy-id = callPackage ../tools/networking/openssh/copyid.nix { };