ssh: use symlinks for authorizedKeys options
#976
Conversation
As explained in the changelog and activation check, the previous implementation had a nasty security bug that made removing a user’s authorized keys effectively a no‐op.
This is a huge anti‐declarative footgun; `copy` files cannot distinguish if a previous version is managed by nix-darwin, so they can’t check the hash, so they’re prone to destroying data, and copied files are not deleted when they’re removed from the system configuration, which led to a security bug. Nothing else in‐tree was using this functionality, so let’s make sure it doesn’t cause any more bugs.
|
Incidentally it seems like our |
| imports = [ | ||
| (mkRemovedOptionModule [ "services" "openssh" "authorizedKeysFiles" ] "No `nix-darwin` equivalent to this NixOS option.") | ||
| ]; |
There was a problem hiding this comment.
I added this because SSH keys specified in ~/.ssh/authorized_keys stopped working (see #677), ideally it would be nice if this PR could maintain that, potentially by adding it to the AuthorizedKeysCommand
There was a problem hiding this comment.
I think that should work out of the box now, since we don’t override AuthorizedKeysFile:
The program should produce on standard output zero or more lines
of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)) . Au‐
thorizedKeysCommand is tried after the usual AuthorizedKeysFile
files and will not be executed if a matching key is found there.
By default, no AuthorizedKeysCommand is run.
|
Everything else in the PR LGTM Thanks for fixing this issue, I've known about it for a while but I never got around to fixing it as I was planning to add functionality that tracked which files were created by |
|
Yeah, I was talking with @Samasaur1 on Matrix and it seems like we might be able to implement a more robust |
|
My preference would be to write proper state management logic and write a program that writes to a manifest file (JSON probably) that tracks all the generated files by |
This is a security fix over a year in the making; I wish I had been able to get it out sooner. Anyone using
AuthorizedKeysCommandfor something else will need to ensure they set it in a later file than101-authorized-keys.conf, but hopefully anyone with that customized an SSH setup knows what they’re doing, and I’m not sure how we could better signal that; I doubt anyone reads the changelog but not merged PRs.This does mean that the Nix store failing to mount could lead to an SSH lock‐out; I’m not sure how we could handle that elegantly and it seems difficult to recover from without direct access anyway (what if your shell is in the Nix store anyway?). It’s possible we could do an ad‐hoc recreation of
copyhere that operates unconditionally on the entire directory, I guess.