From 099cde3a92af0522f03f56d07ea77371f55e3633 Mon Sep 17 00:00:00 2001 From: K900 Date: Sun, 20 Oct 2024 21:32:29 +0300 Subject: [PATCH] Revert "nixos/ssh: disable `authorizedKeysInHomedir` by default" --- .../manual/release-notes/rl-2411.section.md | 3 --- .../modules/services/networking/ssh/sshd.nix | 21 ++++--------------- nixos/tests/openssh.nix | 11 ++-------- 3 files changed, 6 insertions(+), 29 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 188fe429fda0..fb92e979484d 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -397,9 +397,6 @@ * from `/var/log/private/gns3` to `/var/log/gns3` and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`). -- The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless - `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards). - - Legacy package `stalwart-mail_0_6` was dropped, please note the [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md) before changing the package to `pkgs.stalwart-mail` in diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index c90164b21ccb..26ca39f73d39 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -108,10 +108,6 @@ let }; - usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: - lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 - )); - authKeysFiles = let mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" { mode = "0444"; @@ -120,6 +116,9 @@ let ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles} ''; }; + usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u: + lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0 + )); in lib.listToAttrs (map mkAuthKeyFile usersWithKeys); authPrincipalsFiles = let @@ -303,8 +302,7 @@ in authorizedKeysInHomedir = lib.mkOption { type = lib.types.bool; - default = lib.versionOlder config.system.stateVersion "24.11"; - defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older"; + default = true; description = '' Enables the use of the `~/.ssh/authorized_keys` file. @@ -546,17 +544,6 @@ in config = lib.mkIf cfg.enable { - warnings = lib.optional (with cfg; lib.all lib.id [ - # ~/.ssh/authorized_keys is ignored and no custom file locations were set - (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ]) - # no command provides authorized keys - (authorizedKeysCommand == "none") - # no users have keys in declarative configuration - (usersWithKeys == []) - # no authentication methods other than public keys are configured - ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ]) - ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored"; - users.users.sshd = { isSystemUser = true; diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index b4aacd60c81b..d420c482ca7f 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -14,10 +14,7 @@ in { { ... }: { - services.openssh = { - enable = true; - authorizedKeysInHomedir = true; - }; + services.openssh.enable = true; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; users.users.root.openssh.authorizedKeys.keys = [ @@ -42,11 +39,7 @@ in { { ... }: { - services.openssh = { - enable = true; - startWhenNeeded = true; - authorizedKeysInHomedir = true; - }; + services.openssh = { enable = true; startWhenNeeded = true; }; security.pam.services.sshd.limits = [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; users.users.root.openssh.authorizedKeys.keys = [