Revert "nixos/ssh: disable authorizedKeysInHomedir by default"

2024-10-20 21:32:29 +03:00 · 2024-10-20 21:32:29 +03:00 · 099cde3a92
commit 099cde3a92
parent feb995ade0
3 changed files with 6 additions and 29 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -397,9 +397,6 @@
    * from `/var/log/private/gns3` to `/var/log/gns3`
  and to change the ownership of these directories and their contents to `gns3` (including `/etc/gns3`).
 - The `sshd` module now doesn't include `%h/.ssh/authorized_keys` as `AuthorizedKeysFile` unless
  `services.openssh.authorizedKeysInHomedir` is set to `true` (the default is `false` for `stateVersion` 24.11 onwards).
 - Legacy package `stalwart-mail_0_6` was dropped, please note the
  [manual upgrade process](https://github.com/stalwartlabs/mail-server/blob/main/UPGRADING.md)
  before changing the package to `pkgs.stalwart-mail` in
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -108,10 +108,6 @@ let
  };
  usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
    lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
  ));
  authKeysFiles = let
    mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
      mode = "0444";
@ -120,6 +116,9 @@ let
        ${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
      '';
    };
    usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
      lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
    ));
  in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);
  authPrincipalsFiles = let
@ -303,8 +302,7 @@ in
      authorizedKeysInHomedir = lib.mkOption {
        type = lib.types.bool;
-        default = lib.versionOlder config.system.stateVersion "24.11";
+        default = true;
        defaultText = lib.literalMD "`false` unless [](#opt-system.stateVersion) is 24.05 or older";
        description = ''
          Enables the use of the `~/.ssh/authorized_keys` file.
@ -546,17 +544,6 @@ in
  config = lib.mkIf cfg.enable {
    warnings = lib.optional (with cfg; lib.all lib.id [
      # ~/.ssh/authorized_keys is ignored and no custom file locations were set
      (authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
      # no command provides authorized keys
      (authorizedKeysCommand == "none")
      # no users have keys in declarative configuration
      (usersWithKeys == [])
      # no authentication methods other than public keys are configured
      ((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
    ]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
    users.users.sshd =
      {
        isSystemUser = true;
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -14,10 +14,7 @@ in {
      { ... }:
      {
-        services.openssh = {
+        services.openssh.enable = true;
          enable = true;
          authorizedKeysInHomedir = true;
        };
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.users.root.openssh.authorizedKeys.keys = [
@ -42,11 +39,7 @@ in {
      { ... }:
      {
-        services.openssh = {
+        services.openssh = { enable = true; startWhenNeeded = true; };
          enable = true;
          startWhenNeeded = true;
          authorizedKeysInHomedir = true;
        };
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.users.root.openssh.authorizedKeys.keys = [