pyrox.dev / nixpkgs
lol
fork atom

nixos/pam: Warn on insecure `sshAgentAuth` configurations

nicoo 9ed1423d 822c0a86

options
unified split
Changed files
+15 -1
nixos
modules
security
pam.nix
tests
ssh-agent-auth.nix
+10
nixos/modules/security/pam.nix 
···

       
1477

       
1477

       
 

       
      }


     

       
1478

       
1478

       
 

       
    ];


     

       
1479

       
1479

       
 

       



     

       

       
1480

       
+

       
    warnings = optional


     

       

       
1481

       
+

       
      (with lib; with config.security.pam.sshAgentAuth;


     

       

       
1482

       
+

       
        enable && any (s: hasPrefix "%h" s || hasPrefix "~" s) authorizedKeysFiles)


     

       

       
1483

       
+

       
      ''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.


     

       

       
1484

       
+

       



     

       

       
1485

       
+

       
        Specifying user-writeable files there result in an insecure configuration:


     

       

       
1486

       
+

       
        a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.


     

       

       
1487

       
+

       
        See https://github.com/NixOS/nixpkgs/issues/31611


     

       

       
1488

       
+

       
      '';


     

       

       
1489

       
+

       



     

       
1480

       
1490

       
 

       
    environment.systemPackages =


     

       
1481

       
1491

       
 

       
      # Include the PAM modules in the system path mostly for the manpages.


     

       
1482

       
1492

       
 

       
      [ pkgs.pam ]
+5 -1
nixos/tests/ssh-agent-auth.nix 
···

       
15

       
15

       
 

       
        foo.isNormalUser = true;


     

       
16

       
16

       
 

       
      };


     

       
17

       
17

       
 

       



     

       
18

       

       
-

       
      security.pam.sshAgentAuth.enable = true;


     

       

       
18

       
+

       
      security.pam.sshAgentAuth = {


     

       

       
19

       
+

       
        # Must be specified, as nixpkgs CI expects everything to eval without warning


     

       

       
20

       
+

       
        authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];


     

       

       
21

       
+

       
        enable = true;


     

       

       
22

       
+

       
      };


     

       
19

       
23

       
 

       
      security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {


     

       
20

       
24

       
 

       
        enable = true;


     

       
21

       
25

       
 

       
        wheelNeedsPassword = true;  # We are checking `pam_ssh_agent_auth(8)` works for a sudoer