pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611-fix

nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`

Thomas Gerbet deed6fb8 f9a24ef3

options
unified split
Changed files
+15 -7
nixos
doc
manual
release-notes
rl-2405.section.md
modules
security
pam.nix
+14 -4
nixos/doc/manual/release-notes/rl-2405.section.md 
···

       
201

       
201

       
 

       



     

       
202

       
202

       
 

       
- `himalaya` was updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details.


     

       
203

       
203

       
 

       



     

       

       
204

       
+

       
- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only**


     

       

       
205

       
+

       
  `authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted,


     

       

       
206

       
+

       
  defaulting to `/etc/ssh/authorized_keys.d/%u`.


     

       

       
207

       
+

       
  ::: {.warning}


     

       

       
208

       
+

       
  Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`)


     

       

       
209

       
+

       
  are listed in [`sshAgentAuth.authorizedKeysFiles`]..


     

       

       
210

       
+

       
  :::


     

       

       
211

       
+

       
  ::: {.note}


     

       

       
212

       
+

       
  Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`,


     

       

       
213

       
+

       
  which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).


     

       

       
214

       
+

       
  :::


     

       

       
215

       
+

       



     

       

       
216

       
+

       
[`sshAgentAuth.authorizedKeysFiles`]: #opt-security.pam.sshAgentAuth.authorizedKeysFiles


     

       

       
217

       
+

       



     

       
204

       
218

       
 

       
- The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.


     

       
205

       
219

       
 

       



     

       
206

       
220

       
 

       
- `programs.nix-ld.libraries` no longer sets `baseLibraries` via the option's default but in config and now merges any additional libraries with the default ones.


     
···

       
571

       
585

       
 

       
- `libjxl` version bumped from 0.8.2 to 0.9.1 [dropped support for the butteraugli API](https://github.com/libjxl/libjxl/pull/2576). You will no longer be able to set `enableButteraugli` on `libaom`.


     

       
572

       
586

       
 

       



     

       
573

       
587

       
 

       
- `mockgen` package source has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).


     

       
574

       

       
-

       



     

       
575

       

       
-

       
- `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`


     

       
576

       

       
-

       
  option was added, to control which `authorized_keys` files are trusted.  It defaults to the previous behaviour,


     

       
577

       

       
-

       
  **which is insecure**: see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).


     

       
578

       
588

       
 

       



     

       
579

       
589

       
 

       
- [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.


     

       
580

       
590
+1 -3
nixos/modules/security/pam.nix 
···

       
1044

       
1044

       
 

       
          See [issue #31611](https://github.com/NixOS/nixpkgs/issues/31611)


     

       
1045

       
1045

       
 

       
          :::


     

       
1046

       
1046

       
 

       
        '';


     

       
1047

       

       
-

       
        example = [ "/etc/ssh/authorized_keys.d/%u" ];


     

       
1048

       

       
-

       
        default = config.services.openssh.authorizedKeysFiles;


     

       
1049

       

       
-

       
        defaultText = literalExpression "config.services.openssh.authorizedKeysFiles";


     

       

       
1047

       
+

       
        default = [ "/etc/ssh/authorized_keys.d/%u" ];


     

       
1050

       
1048

       
 

       
      };


     

       
1051

       
1049

       
 

       
    };


     

       
1052

       
1050