Revert "nixos/ssh: disable authorizedKeysInHomedir
by default"
This commit is contained in:
parent
feb995ade0
commit
099cde3a92
@ -397,9 +397,6 @@
|
||||
* from `/var/log/private/gns3` to `/var/log/gns3`
|
||||
and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
|
||||
|
||||
- The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless
|
||||
`services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards).
|
||||
|
||||
- Legacy package `stalwart-mail_0_6` was dropped, please note the
|
||||
[manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
|
||||
before changing the package to `pkgs.stalwart-mail` in
|
||||
|
@ -108,10 +108,6 @@ let
|
||||
|
||||
};
|
||||
|
||||
usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
|
||||
lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
|
||||
));
|
||||
|
||||
authKeysFiles = let
|
||||
mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
|
||||
mode = "0444";
|
||||
@ -120,6 +116,9 @@ let
|
||||
${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
|
||||
'';
|
||||
};
|
||||
usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
|
||||
lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
|
||||
));
|
||||
in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);
|
||||
|
||||
authPrincipalsFiles = let
|
||||
@ -303,8 +302,7 @@ in
|
||||
|
||||
authorizedKeysInHomedir = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = lib.versionOlder config.system.stateVersion "24.11";
|
||||
defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
|
||||
default = true;
|
||||
description = ''
|
||||
Enables the use of the `~/.ssh/authorized_keys` file.
|
||||
|
||||
@ -546,17 +544,6 @@ in
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
warnings = lib.optional (with cfg; lib.all lib.id [
|
||||
# ~/.ssh/authorized_keys is ignored and no custom file locations were set
|
||||
(authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
|
||||
# no command provides authorized keys
|
||||
(authorizedKeysCommand == "none")
|
||||
# no users have keys in declarative configuration
|
||||
(usersWithKeys == [])
|
||||
# no authentication methods other than public keys are configured
|
||||
((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
|
||||
]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
|
||||
|
||||
users.users.sshd =
|
||||
{
|
||||
isSystemUser = true;
|
||||
|
@ -14,10 +14,7 @@ in {
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
authorizedKeysInHomedir = true;
|
||||
};
|
||||
services.openssh.enable = true;
|
||||
security.pam.services.sshd.limits =
|
||||
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
@ -42,11 +39,7 @@ in {
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
startWhenNeeded = true;
|
||||
authorizedKeysInHomedir = true;
|
||||
};
|
||||
services.openssh = { enable = true; startWhenNeeded = true; };
|
||||
security.pam.services.sshd.limits =
|
||||
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
|
Loading…
Reference in New Issue
Block a user