ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2024-09-23 05:37:27 +03:00
Code Issues Projects Releases Wiki Activity

Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix

Browse Source 
nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
This commit is contained in:
Thomas Gerbet 2024-04-28 09:24:38 +02:00 committed by GitHub
commit deed6fb8f3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 15 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/doc/manual/release-notes/rl-2405.section.md
View File

@ -201,6 +201,20 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `himalaya` was updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details.
- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only**
`authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted,
defaulting to `/etc/ssh/authorized_keys.d/%u`.
::: {.warning}
Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`)
are listed in [`sshAgentAuth.authorizedKeysFiles`]..
:::
::: {.note}
Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`,
which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
:::
[`sshAgentAuth.authorizedKeysFiles`]: #opt-security.pam.sshAgentAuth.authorizedKeysFiles
- The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.
- `programs.nix-ld.libraries` no longer sets `baseLibraries` via the option's default but in config and now merges any additional libraries with the default ones.
@ -572,10 +586,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `mockgen` package source has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
- `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`
option was added, to control which `authorized_keys` files are trusted. It defaults to the previous behaviour,
**which is insecure**: see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.
- [TODO: reword to place an attribute at the front] A new top-level package set, `pkgsExtraHardening` is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).

4
nixos/modules/security/pam.nix
View File

@ -1044,9 +1044,7 @@ in
See [issue #31611](https://github.com/NixOS/nixpkgs/issues/31611)
:::
'';
example = [ "/etc/ssh/authorized_keys.d/%u" ];
default = config.services.openssh.authorizedKeysFiles;
defaultText = literalExpression "config.services.openssh.authorizedKeysFiles";
default = [ "/etc/ssh/authorized_keys.d/%u" ];
};
};