-
-
Notifications
You must be signed in to change notification settings - Fork 442
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh: use symlinks for authorizedKeys
options
#976
ssh: use symlinks for authorizedKeys
options
#976
Conversation
As explained in the changelog and activation check, the previous implementation had a nasty security bug that made removing a user’s authorized keys effectively a no‐op.
This is a huge anti‐declarative footgun; `copy` files cannot distinguish if a previous version is managed by nix-darwin, so they can’t check the hash, so they’re prone to destroying data, and copied files are not deleted when they’re removed from the system configuration, which led to a security bug. Nothing else in‐tree was using this functionality, so let’s make sure it doesn’t cause any more bugs.
Incidentally it seems like our |
imports = [ | ||
(mkRemovedOptionModule [ "services" "openssh" "authorizedKeysFiles" ] "No `nix-darwin` equivalent to this NixOS option.") | ||
]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this because SSH keys specified in ~/.ssh/authorized_keys
stopped working (see #677), ideally it would be nice if this PR could maintain that, potentially by adding it to the AuthorizedKeysCommand
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that should work out of the box now, since we don’t override AuthorizedKeysFile
:
The program should produce on standard output zero or more lines
of authorized_keys output (see AUTHORIZED_KEYS in sshd(8)) . Au‐
thorizedKeysCommand is tried after the usual AuthorizedKeysFile
files and will not be executed if a matching key is found there.
By default, no AuthorizedKeysCommand is run.
Everything else in the PR LGTM Thanks for fixing this issue, I've known about it for a while but I never got around to fixing it as I was planning to add functionality that tracked which files were created by |
Yeah, I was talking with @Samasaur1 on Matrix and it seems like we might be able to implement a more robust |
My preference would be to write proper state management logic and write a program that writes to a manifest file (JSON probably) that tracks all the generated files by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Happy to merge this PR first and if any future consumers want to use .copy
they can readd it in their PR with better state management logic
This is a security fix over a year in the making; I wish I had been able to get it out sooner. Anyone using
AuthorizedKeysCommand
for something else will need to ensure they set it in a later file than101-authorized-keys.conf
, but hopefully anyone with that customized an SSH setup knows what they’re doing, and I’m not sure how we could better signal that; I doubt anyone reads the changelog but not merged PRs.This does mean that the Nix store failing to mount could lead to an SSH lock‐out; I’m not sure how we could handle that elegantly and it seems difficult to recover from without direct access anyway (what if your shell is in the Nix store anyway?). It’s possible we could do an ad‐hoc recreation of
copy
here that operates unconditionally on the entire directory, I guess.