commit cf10d7aef8ff9ca0e178e87981d9e4fd3018193c · pyrox.dev/nixpkgs

+1 -1

nixos/doc/manual/configuration/ssh.section.md

···

       8
        
       

     

       9
        
       By default, root logins using a password are disallowed. They can be

     

       10
        
       disabled entirely by setting

     

       11
       -
       [](#opt-services.openssh.permitRootLogin) to `"no"`.

     

       12
        
       

     

       13
        
       You can declaratively specify authorised RSA/DSA public keys for a user

     

       14
        
       as follows:

···

       8
        
       

     

       9
        
       By default, root logins using a password are disallowed. They can be

     

       10
        
       disabled entirely by setting

     

       11
       +
       [](#opt-services.openssh.settings.PermitRootLogin) to `"no"`.

     

       12
        
       

     

       13
        
       You can declaratively specify authorised RSA/DSA public keys for a user

     

       14
        
       as follows:

+1 -1

nixos/doc/manual/from_md/configuration/ssh.section.xml

···

       9
        
         <para>

     

       10
        
           By default, root logins using a password are disallowed. They can be

     

       11
        
           disabled entirely by setting

     

       12
       -
           <xref linkend="opt-services.openssh.permitRootLogin" /> to

     

       13
        
           <literal>&quot;no&quot;</literal>.

     

       14
        
         </para>

     

       15
        
         <para>

···

       9
        
         <para>

     

       10
        
           By default, root logins using a password are disallowed. They can be

     

       11
        
           disabled entirely by setting

     

       12
       +
           <xref linkend="opt-services.openssh.settings.PermitRootLogin" /> to

     

       13
        
           <literal>&quot;no&quot;</literal>.

     

       14
        
         </para>

     

       15
        
         <para>

+18

nixos/doc/manual/from_md/release-notes/rl-2305.section.xml

···

       326
        
             </listitem>

     

       327
        
             <listitem>

     

       328
        
               <para>

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       329
        
                 <literal>services.mastodon</literal> gained a tootctl wrapped

     

       330
        
                 named <literal>mastodon-tootctl</literal> similar to

     

       331
        
                 <literal>nextcloud-occ</literal> which can be executed from

···

       326
        
             </listitem>

     

       327
        
             <listitem>

     

       328
        
               <para>

     

       329
       +
                 A few openssh options have been moved from extraConfig to the

     

       330
       +
                 new freeform option <literal>settings</literal> and renamed as

     

       331
       +
                 follow:

     

       332
       +
                 <literal>services.openssh.kbdInteractiveAuthentication</literal>

     

       333
       +
                 to

     

       334
       +
                 <literal>services.openssh.settings.KbdInteractiveAuthentication</literal>,

     

       335
       +
                 <literal>services.openssh.passwordAuthentication</literal> to

     

       336
       +
                 <literal>services.openssh.settings.PasswordAuthentication</literal>,

     

       337
       +
                 <literal>services.openssh.useDns</literal> to

     

       338
       +
                 <literal>services.openssh.settings.UseDns</literal>,

     

       339
       +
                 <literal>services.openssh.permitRootLogin</literal> to

     

       340
       +
                 <literal>services.openssh.settings.PermitRootLogin</literal>,

     

       341
       +
                 <literal>services.openssh.logLevel</literal> to

     

       342
       +
                 <literal>services.openssh.settings.LogLevel</literal>.

     

       343
       +
               </para>

     

       344
       +
             </listitem>

     

       345
       +
             <listitem>

     

       346
       +
               <para>

     

       347
        
                 <literal>services.mastodon</literal> gained a tootctl wrapped

     

       348
        
                 named <literal>mastodon-tootctl</literal> similar to

     

       349
        
                 <literal>nextcloud-occ</literal> which can be executed from

+2

nixos/doc/manual/release-notes/rl-2305.section.md

···

       85
        
       

     

       86
        
       - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)

     

       87
        
       

     

       0
        
       
     

       0
        
       
     

       88
        
       - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

     

       89
        
       

     

       90
        
       - The `dnsmasq` service now takes configuration via the

···

       85
        
       

     

       86
        
       - The module `usbmuxd` now has the ability to change the package used by the daemon. In case you're experiencing issues with `usbmuxd` you can try an alternative program like `usbmuxd2`. Available as [services.usbmuxd.package](#opt-services.usbmuxd.package)

     

       87
        
       

     

       88
       +
       - A few openssh options have been moved from extraConfig to the new freeform option `settings` and renamed as follow: `services.openssh.kbdInteractiveAuthentication` to `services.openssh.settings.KbdInteractiveAuthentication`, `services.openssh.passwordAuthentication` to `services.openssh.settings.PasswordAuthentication`, `services.openssh.useDns` to `services.openssh.settings.UseDns`, `services.openssh.permitRootLogin` to `services.openssh.settings.PermitRootLogin`, `services.openssh.logLevel` to `services.openssh.settings.LogLevel`.

     

       89
       +
       

     

       90
        
       - `services.mastodon` gained a tootctl wrapped named `mastodon-tootctl` similar to `nextcloud-occ` which can be executed from any user and switches to the configured mastodon user with sudo and sources the environment variables.

     

       91
        
       

     

       92
        
       - The `dnsmasq` service now takes configuration via the

+1 -1

nixos/modules/profiles/installation-device.nix

···

       72
        
           # mounting the storage in a different system.

     

       73
        
           services.openssh = {

     

       74
        
             enable = true;

     

       75
       -
             permitRootLogin = "yes";

     

       76
        
           };

     

       77
        
       

     

       78
        
           # Enable wpa_supplicant, but don't start it by default.

···

       72
        
           # mounting the storage in a different system.

     

       73
        
           services.openssh = {

     

       74
        
             enable = true;

     

       75
       +
             settings.PermitRootLogin = "yes";

     

       76
        
           };

     

       77
        
       

     

       78
        
           # Enable wpa_supplicant, but don't start it by default.

+75 -53

nixos/modules/services/networking/ssh/sshd.nix

···

       12
        
           then cfgc.package

     

       13
        
           else pkgs.buildPackages.openssh;

     

       14
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       15
        
         sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } ''

     

       16
       -
           cat >$out <<EOL

     

       17
        
           ${cfg.extraConfig}

     

       18
        
           EOL

     

       19
        
       

     
···

       23
        
       

     

       24
        
         cfg  = config.services.openssh;

     

       25
        
         cfgc = config.programs.ssh;

     

       0
        
       
     

       26
        
       

     

       27
        
         nssModulesPath = config.system.nssModules.path;

     

       28
        
       

     
···

       82
        
           (mkAliasOptionModuleMD [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ])

     

       83
        
           (mkAliasOptionModuleMD [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ])

     

       84
        
           (mkRenamedOptionModule [ "services" "openssh" "challengeResponseAuthentication" ] [ "services" "openssh" "kbdInteractiveAuthentication" ])

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       85
        
         ];

     

       86
        
       

     

       87
        
         ###### interface

     
···

       142
        
               example = [ "-f AUTHPRIV" "-l INFO" ];

     

       143
        
               description = lib.mdDoc ''

     

       144
        
                 Commandline flags to add to sftp-server.

     

       145
       -
               '';

     

       146
       -
             };

     

       147
       -
       

     

       148
       -
             permitRootLogin = mkOption {

     

       149
       -
               default = "prohibit-password";

     

       150
       -
               type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];

     

       151
       -
               description = lib.mdDoc ''

     

       152
       -
                 Whether the root user can login using ssh.

     

       153
        
               '';

     

       154
        
             };

     

       155
        
       

     
···

       210
        
               '';

     

       211
        
             };

     

       212
        
       

     

       213
       -
             passwordAuthentication = mkOption {

     

       214
       -
               type = types.bool;

     

       215
       -
               default = true;

     

       216
       -
               description = lib.mdDoc ''

     

       217
       -
                 Specifies whether password authentication is allowed.

     

       218
       -
               '';

     

       219
       -
             };

     

       220
       -
       

     

       221
       -
             kbdInteractiveAuthentication = mkOption {

     

       222
       -
               type = types.bool;

     

       223
       -
               default = true;

     

       224
       -
               description = lib.mdDoc ''

     

       225
       -
                 Specifies whether keyboard-interactive authentication is allowed.

     

       226
       -
               '';

     

       227
       -
             };

     

       228
       -
       

     

       229
        
             hostKeys = mkOption {

     

       230
        
               type = types.listOf types.attrs;

     

       231
        
               default =

     
···

       346
        
               '';

     

       347
        
             };

     

       348
        
       

     

       349
       -
             logLevel = mkOption {

     

       350
       -
               type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];

     

       351
       -
               default = "INFO"; # upstream default

     

       352
       -
               description = lib.mdDoc ''

     

       353
       -
                 Gives the verbosity level that is used when logging messages from sshd(8). The possible values are:

     

       354
       -
                 QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1

     

       355
       -
                 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging output. Logging with a DEBUG level

     

       356
       -
                 violates the privacy of users and is not recommended.

     

       357
       -
               '';

     

       358
       -
             };

     

       359
        
       

     

       360
       -
             useDns = mkOption {

     

       361
       -
               type = types.bool;

     

       362
       -
               default = false;

     

       363
       -
               description = lib.mdDoc ''

     

       364
       -
                 Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for

     

       365
       -
                 the remote IP address maps back to the very same IP address.

     

       366
       -
                 If this option is set to no (the default) then only addresses and not host names may be used in

     

       367
       -
                 ~/.ssh/authorized_keys from and sshd_config Match Host directives.

     

       368
       -
               '';

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       369
        
             };

     

       370
        
       

     

       371
        
             extraConfig = mkOption {

     
···

       496
        
           security.pam.services.sshd =

     

       497
        
             { startSession = true;

     

       498
        
               showMotd = true;

     

       499
       -
               unixAuth = cfg.passwordAuthentication;

     

       500
        
             };

     

       501
        
       

     

       502
        
           # These values are merged with the ones defined externally, see:

     
···

       530
        
                 Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}

     

       531
        
               ''}

     

       532
        
       

     

       533
       -
               PermitRootLogin ${cfg.permitRootLogin}

     

       534
        
               GatewayPorts ${cfg.gatewayPorts}

     

       535
       -
               PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}

     

       536
       -
               KbdInteractiveAuthentication ${if cfg.kbdInteractiveAuthentication then "yes" else "no"}

     

       537
        
       

     

       538
        
               PrintMotd no # handled by pam_motd

     

       539
        
       

     
···

       550
        
               KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}

     

       551
        
               Ciphers ${concatStringsSep "," cfg.ciphers}

     

       552
        
               MACs ${concatStringsSep "," cfg.macs}

     

       553
       -
       

     

       554
       -
               LogLevel ${cfg.logLevel}

     

       555
       -
       

     

       556
       -
               UseDNS ${if cfg.useDns then "yes" else "no"}

     

       557
       -
       

     

       558
        
             '';

     

       559
        
       

     

       560
        
           assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

···

       12
        
           then cfgc.package

     

       13
        
           else pkgs.buildPackages.openssh;

     

       14
        
       

     

       15
       +
         # reports boolean as yes / no

     

       16
       +
         mkValueStringSshd = v:

     

       17
       +
               if isInt           v then toString v

     

       18
       +
               else if isString   v then v

     

       19
       +
               else if true  ==   v then "yes"

     

       20
       +
               else if false ==   v then "no"

     

       21
       +
               else throw "unsupported type ${typeOf v}: ${(lib.generators.toPretty {}) v}";

     

       22
       +
       

     

       23
       +
         # dont use the "=" operator

     

       24
       +
         settingsFormat = (pkgs.formats.keyValue {

     

       25
       +
             mkKeyValue = lib.generators.mkKeyValueDefault {

     

       26
       +
             mkValueString = mkValueStringSshd;

     

       27
       +
           } " ";});

     

       28
       +
       

     

       29
       +
         configFile = settingsFormat.generate "config" cfg.settings;

     

       30
        
         sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } ''

     

       31
       +
           cat ${configFile} - >$out <<EOL

     

       32
        
           ${cfg.extraConfig}

     

       33
        
           EOL

     

       34
        
       

     
···

       38
        
       

     

       39
        
         cfg  = config.services.openssh;

     

       40
        
         cfgc = config.programs.ssh;

     

       41
       +
       

     

       42
        
       

     

       43
        
         nssModulesPath = config.system.nssModules.path;

     

       44
        
       

     
···

       98
        
           (mkAliasOptionModuleMD [ "services" "sshd" "enable" ] [ "services" "openssh" "enable" ])

     

       99
        
           (mkAliasOptionModuleMD [ "services" "openssh" "knownHosts" ] [ "programs" "ssh" "knownHosts" ])

     

       100
        
           (mkRenamedOptionModule [ "services" "openssh" "challengeResponseAuthentication" ] [ "services" "openssh" "kbdInteractiveAuthentication" ])

     

       101
       +
       

     

       102
       +
           (mkRenamedOptionModule [ "services" "openssh" "kbdInteractiveAuthentication" ] [  "services" "openssh" "settings" "KbdInteractiveAuthentication" ])

     

       103
       +
           (mkRenamedOptionModule [ "services" "openssh" "passwordAuthentication" ] [  "services" "openssh" "settings" "PasswordAuthentication" ])

     

       104
       +
           (mkRenamedOptionModule [ "services" "openssh" "useDns" ] [  "services" "openssh" "settings" "UseDns" ])

     

       105
       +
           (mkRenamedOptionModule [ "services" "openssh" "permitRootLogin" ] [  "services" "openssh" "settings" "PermitRootLogin" ])

     

       106
       +
           (mkRenamedOptionModule [ "services" "openssh" "logLevel" ] [  "services" "openssh" "settings" "LogLevel" ])

     

       107
        
         ];

     

       108
        
       

     

       109
        
         ###### interface

     
···

       164
        
               example = [ "-f AUTHPRIV" "-l INFO" ];

     

       165
        
               description = lib.mdDoc ''

     

       166
        
                 Commandline flags to add to sftp-server.

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       167
        
               '';

     

       168
        
             };

     

       169
        
       

     
···

       224
        
               '';

     

       225
        
             };

     

       226
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       227
        
             hostKeys = mkOption {

     

       228
        
               type = types.listOf types.attrs;

     

       229
        
               default =

     
···

       344
        
               '';

     

       345
        
             };

     

       346
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       347
        
       

     

       348
       +
             settings = mkOption {

     

       349
       +
               description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";

     

       350
       +
               example = literalExpression ''{

     

       351
       +
                 UseDns true;

     

       352
       +
               }'';

     

       353
       +
               type = types.submodule ({name, ...}: {

     

       354
       +
                 freeformType = settingsFormat.type;

     

       355
       +
                 options = {

     

       356
       +
                   LogLevel = mkOption {

     

       357
       +
                     type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];

     

       358
       +
                     default = "INFO"; # upstream default

     

       359
       +
                     description = lib.mdDoc ''

     

       360
       +
                       Gives the verbosity level that is used when logging messages from sshd(8). Logging with a DEBUG level

     

       361
       +
                       violates the privacy of users and is not recommended.

     

       362
       +
                     '';

     

       363
       +
                   };

     

       364
       +
                   UseDns = mkOption {

     

       365
       +
                     type = types.bool;

     

       366
       +
                     # apply if cfg.useDns then "yes" else "no"

     

       367
       +
                     default = false;

     

       368
       +
                     description = lib.mdDoc ''

     

       369
       +
                       Specifies whether sshd(8) should look up the remote host name, and to check that the resolved host name for

     

       370
       +
                       the remote IP address maps back to the very same IP address.

     

       371
       +
                       If this option is set to no (the default) then only addresses and not host names may be used in

     

       372
       +
                       ~/.ssh/authorized_keys from and sshd_config Match Host directives.

     

       373
       +
                     '';

     

       374
       +
                   };

     

       375
       +
       

     

       376
       +
                   PasswordAuthentication = mkOption {

     

       377
       +
                     type = types.bool;

     

       378
       +
                     default = true;

     

       379
       +
                     description = lib.mdDoc ''

     

       380
       +
                       Specifies whether password authentication is allowed.

     

       381
       +
                     '';

     

       382
       +
                   };

     

       383
       +
                   PermitRootLogin = mkOption {

     

       384
       +
                     default = "prohibit-password";

     

       385
       +
                     type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];

     

       386
       +
                     description = lib.mdDoc ''

     

       387
       +
                       Whether the root user can login using ssh.

     

       388
       +
                     '';

     

       389
       +
                   };

     

       390
       +
                   KbdInteractiveAuthentication = mkOption {

     

       391
       +
                     type = types.bool;

     

       392
       +
                     default = true;

     

       393
       +
                     description = lib.mdDoc ''

     

       394
       +
                       Specifies whether keyboard-interactive authentication is allowed.

     

       395
       +
                     '';

     

       396
       +
                   };

     

       397
       +
                 };

     

       398
       +
               });

     

       399
        
             };

     

       400
        
       

     

       401
        
             extraConfig = mkOption {

     
···

       526
        
           security.pam.services.sshd =

     

       527
        
             { startSession = true;

     

       528
        
               showMotd = true;

     

       529
       +
               unixAuth = cfg.settings.PasswordAuthentication;

     

       530
        
             };

     

       531
        
       

     

       532
        
           # These values are merged with the ones defined externally, see:

     
···

       560
        
                 Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}

     

       561
        
               ''}

     

       562
        
       

     

       0
        
       
     

       563
        
               GatewayPorts ${cfg.gatewayPorts}

     

       0
        
       
     

       0
        
       
     

       564
        
       

     

       565
        
               PrintMotd no # handled by pam_motd

     

       566
        
       

     
···

       577
        
               KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}

     

       578
        
               Ciphers ${concatStringsSep "," cfg.ciphers}

     

       579
        
               MACs ${concatStringsSep "," cfg.macs}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       580
        
             '';

     

       581
        
       

     

       582
        
           assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

+1 -1

nixos/modules/services/security/fail2ban.nix

···

       339
        
           # Block SSH if there are too many failing connection attempts.

     

       340
        
           # Benefits from verbose sshd logging to observe failed login attempts,

     

       341
        
           # so we set that here unless the user overrode it.

     

       342
       -
           services.openssh.logLevel = lib.mkDefault "VERBOSE";

     

       343
        
           services.fail2ban.jails.sshd = mkDefault ''

     

       344
        
             enabled = true

     

       345
        
             port    = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}

···

       339
        
           # Block SSH if there are too many failing connection attempts.

     

       340
        
           # Benefits from verbose sshd logging to observe failed login attempts,

     

       341
        
           # so we set that here unless the user overrode it.

     

       342
       +
           services.openssh.settings.LogLevel = lib.mkDefault "VERBOSE";

     

       343
        
           services.fail2ban.jails.sshd = mkDefault ''

     

       344
        
             enabled = true

     

       345
        
             port    = ${concatMapStringsSep "," (p: toString p) config.services.openssh.ports}

+1 -1

nixos/modules/virtualisation/amazon-image.nix

···

       85
        
           # Allow root logins only using the SSH key that the user specified

     

       86
        
           # at instance creation time.

     

       87
        
           services.openssh.enable = true;

     

       88
       -
           services.openssh.permitRootLogin = "prohibit-password";

     

       89
        
       

     

       90
        
           # Enable the serial console on ttyS0

     

       91
        
           systemd.services."serial-getty@ttyS0".enable = true;

···

       85
        
           # Allow root logins only using the SSH key that the user specified

     

       86
        
           # at instance creation time.

     

       87
        
           services.openssh.enable = true;

     

       88
       +
           services.openssh.settings.PermitRootLogin = "prohibit-password";

     

       89
        
       

     

       90
        
           # Enable the serial console on ttyS0

     

       91
        
           systemd.services."serial-getty@ttyS0".enable = true;

+2 -4

nixos/modules/virtualisation/azure-common.nix

···

       30
        
         # Allow root logins only using the SSH key that the user specified

     

       31
        
         # at instance creation time, ping client connections to avoid timeouts

     

       32
        
         services.openssh.enable = true;

     

       33
       -
         services.openssh.permitRootLogin = "prohibit-password";

     

       34
       -
         services.openssh.extraConfig = ''

     

       35
       -
           ClientAliveInterval 180

     

       36
       -
         '';

     

       37
        
       

     

       38
        
         # Force getting the hostname from Azure

     

       39
        
         networking.hostName = mkDefault "";

···

       30
        
         # Allow root logins only using the SSH key that the user specified

     

       31
        
         # at instance creation time, ping client connections to avoid timeouts

     

       32
        
         services.openssh.enable = true;

     

       33
       +
         services.openssh.settings.PermitRootLogin = "prohibit-password";

     

       34
       +
         services.openssh.settings.ClientAliveInterval = 180;

     

       0
        
       
     

       0
        
       
     

       35
        
       

     

       36
        
         # Force getting the hostname from Azure

     

       37
        
         networking.hostName = mkDefault "";

+1 -1

nixos/modules/virtualisation/brightbox-image.nix

···

       103
        
         # Allow root logins only using the SSH key that the user specified

     

       104
        
         # at instance creation time.

     

       105
        
         services.openssh.enable = true;

     

       106
       -
         services.openssh.permitRootLogin = "prohibit-password";

     

       107
        
       

     

       108
        
         # Force getting the hostname from Google Compute.

     

       109
        
         networking.hostName = mkDefault "";

···

       103
        
         # Allow root logins only using the SSH key that the user specified

     

       104
        
         # at instance creation time.

     

       105
        
         services.openssh.enable = true;

     

       106
       +
         services.openssh.settings.PermitRootLogin = "prohibit-password";

     

       107
        
       

     

       108
        
         # Force getting the hostname from Google Compute.

     

       109
        
         networking.hostName = mkDefault "";

+1 -1

nixos/modules/virtualisation/cloudstack-config.nix

···

       21
        
           # Allow root logins

     

       22
        
           services.openssh = {

     

       23
        
             enable = true;

     

       24
       -
             permitRootLogin = "prohibit-password";

     

       25
        
           };

     

       26
        
       

     

       27
        
           # Cloud-init configuration.

···

       21
        
           # Allow root logins

     

       22
        
           services.openssh = {

     

       23
        
             enable = true;

     

       24
       +
             settings.PermitRootLogin = "prohibit-password";

     

       25
        
           };

     

       26
        
       

     

       27
        
           # Cloud-init configuration.

+1 -1

nixos/modules/virtualisation/digital-ocean-config.nix

···

       49
        
             };

     

       50
        
             services.openssh = {

     

       51
        
               enable = mkDefault true;

     

       52
       -
               passwordAuthentication = mkDefault false;

     

       53
        
             };

     

       54
        
             services.do-agent.enable = mkDefault true;

     

       55
        
             networking = {

···

       49
        
             };

     

       50
        
             services.openssh = {

     

       51
        
               enable = mkDefault true;

     

       52
       +
               settings.PasswordAuthentication = mkDefault false;

     

       53
        
             };

     

       54
        
             services.do-agent.enable = mkDefault true;

     

       55
        
             networking = {

+2 -2

nixos/modules/virtualisation/google-compute-config.nix

···

       29
        
         # Allow root logins only using SSH keys

     

       30
        
         # and disable password authentication in general

     

       31
        
         services.openssh.enable = true;

     

       32
       -
         services.openssh.permitRootLogin = "prohibit-password";

     

       33
       -
         services.openssh.passwordAuthentication = mkDefault false;

     

       34
        
       

     

       35
        
         # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on

     

       36
        
         # instance or project level

···

       29
        
         # Allow root logins only using SSH keys

     

       30
        
         # and disable password authentication in general

     

       31
        
         services.openssh.enable = true;

     

       32
       +
         services.openssh.settings.PermitRootLogin = "prohibit-password";

     

       33
       +
         services.openssh.settings.PasswordAuthentication = mkDefault false;

     

       34
        
       

     

       35
        
         # enable OS Login. This also requires setting enable-oslogin=TRUE metadata on

     

       36
        
         # instance or project level

+2 -2

nixos/modules/virtualisation/openstack-config.nix

···

       59
        
           # Allow root logins

     

       60
        
           services.openssh = {

     

       61
        
             enable = true;

     

       62
       -
             permitRootLogin = "prohibit-password";

     

       63
       -
             passwordAuthentication = mkDefault false;

     

       64
        
           };

     

       65
        
       

     

       66
        
           users.users.root.initialPassword = "foobar";

···

       59
        
           # Allow root logins

     

       60
        
           services.openssh = {

     

       61
        
             enable = true;

     

       62
       +
             settings.PermitRootLogin = "prohibit-password";

     

       63
       +
             settings.PasswordAuthentication = mkDefault false;

     

       64
        
           };

     

       65
        
       

     

       66
        
           users.users.root.initialPassword = "foobar";

+4 -2

nixos/tests/borgbackup.nix

···

       117
        
           server = { ... }: {

     

       118
        
             services.openssh = {

     

       119
        
               enable = true;

     

       120
       -
               passwordAuthentication = false;

     

       121
       -
               kbdInteractiveAuthentication = false;

     

       0
        
       
     

       0
        
       
     

       122
        
             };

     

       123
        
       

     

       124
        
             services.borgbackup.repos.repo1 = {

···

       117
        
           server = { ... }: {

     

       118
        
             services.openssh = {

     

       119
        
               enable = true;

     

       120
       +
               settings = {

     

       121
       +
                 PasswordAuthentication = false;

     

       122
       +
                 KbdInteractiveAuthentication = false;

     

       123
       +
               };

     

       124
        
             };

     

       125
        
       

     

       126
        
             services.borgbackup.repos.repo1 = {

+4 -2

nixos/tests/btrbk.nix

···

       52
        
               environment.systemPackages = with pkgs; [ btrfs-progs ];

     

       53
        
               services.openssh = {

     

       54
        
                 enable = true;

     

       55
       -
                 passwordAuthentication = false;

     

       56
       -
                 kbdInteractiveAuthentication = false;

     

       0
        
       
     

       0
        
       
     

       57
        
               };

     

       58
        
               services.btrbk = {

     

       59
        
                 extraPackages = [ pkgs.lz4 ];

···

       52
        
               environment.systemPackages = with pkgs; [ btrfs-progs ];

     

       53
        
               services.openssh = {

     

       54
        
                 enable = true;

     

       55
       +
                 settings = {

     

       56
       +
                   KbdInteractiveAuthentication = false;

     

       57
       +
                   PasswordAuthentication = false;

     

       58
       +
                 };

     

       59
        
               };

     

       60
        
               services.btrbk = {

     

       61
        
                 extraPackages = [ pkgs.lz4 ];

+2 -2

nixos/tests/google-oslogin/server.nix

···

       17
        
         };

     

       18
        
       

     

       19
        
         services.openssh.enable = true;

     

       20
       -
         services.openssh.kbdInteractiveAuthentication = false;

     

       21
       -
         services.openssh.passwordAuthentication = false;

     

       22
        
       

     

       23
        
         security.googleOsLogin.enable = true;

     

       24

···

       17
        
         };

     

       18
        
       

     

       19
        
         services.openssh.enable = true;

     

       20
       +
         services.openssh.settings.KbdInteractiveAuthentication = false;

     

       21
       +
         services.openssh.settings.PasswordAuthentication = false;

     

       22
        
       

     

       23
        
         security.googleOsLogin.enable = true;

     

       24

+4 -2

nixos/tests/sourcehut.nix

···

       18
        
                 # passwordless ssh server

     

       19
        
                 services.openssh = {

     

       20
        
                   enable = true;

     

       21
       -
                   permitRootLogin = "yes";

     

       22
       -
                   extraConfig = "PermitEmptyPasswords yes";

     

       0
        
       
     

       0
        
       
     

       23
        
                 };

     

       24
        
       

     

       25
        
                 users = {

···

       18
        
                 # passwordless ssh server

     

       19
        
                 services.openssh = {

     

       20
        
                   enable = true;

     

       21
       +
                   settings = {

     

       22
       +
                     PermitRootLogin = "yes";

     

       23
       +
                     PermitEmptyPasswords = true;

     

       24
       +
                   };

     

       25
        
                 };

     

       26
        
       

     

       27
        
                 users = {

+1 -1

nixos/tests/turbovnc-headless-server.nix

···

       26
        
           # So that we can ssh into the VM, see e.g.

     

       27
        
           # http://blog.patapon.info/nixos-local-vm/#accessing-the-vm-with-ssh

     

       28
        
           services.openssh.enable = true;

     

       29
       -
           services.openssh.permitRootLogin = "yes";

     

       30
        
           users.extraUsers.root.password = "";

     

       31
        
           users.mutableUsers = false;

     

       32
        
         };

···

       26
        
           # So that we can ssh into the VM, see e.g.

     

       27
        
           # http://blog.patapon.info/nixos-local-vm/#accessing-the-vm-with-ssh

     

       28
        
           services.openssh.enable = true;

     

       29
       +
           services.openssh.settings.PermitRootLogin = "yes";

     

       30
        
           users.extraUsers.root.password = "";

     

       31
        
           users.mutableUsers = false;

     

       32
        
         };