New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
modules/security/pam.nix: add enableSSHAgentAuthNoHome #102187
Conversation
Tested on sudo on Nightingale. It can prevent sudoing based on just the user-editable files, but you have to be super explicit about it: { lib, ... }:
{
security.pam.services.sudo = {
sshAgentAuth = lib.mkForce false;
sshAgentAuthNoHome = true;
};
} otherwise you get 2 auth_sufficient lines in /etc/pam.d/sudo. That's because |
note optionalString cfg.sshAgentAuthNoHome not (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) so you don't need to have config.security.pam.enableSSHAgentAuth enabled and you don't get the double entry. I absolutely dislike the current solution and my solution, I would only have cfg.sshAgentAuth boolean and cfg.sshAgentAuthPath listOf str, but that would break backwards compat, so I proposed this more conservative solution that bypasses the current config. |
I guess there is backwards compatible solution of making
where default paths would be the old paths and for new style config you would just unset config.security.pam.enableSSHAgentAuth and set paths and boolean however you needed this would only break configs that had noop config of cfg.sshAgentAuth for some security.pam.services.name, but not config.security.pam.enableSSHAgentAuth, which would be inert |
This defining sshAgentAuthPaths is useful, if sudo is being used by authenticating as the user and not as root as is the default as user could normally just edit the ~/.ssh/authorized_keys to get access as root. Allow specifying sshAgentAuth without security.pam.enableSSHAgentAuth as there is no reason not to allow it.
This new revision would be my preferred solution (apart from completely dropping config.security.pam.enableSSHAgentAuth completely and the entry on sudo module). It's to my understanding perfectly backwards compatible apart from people who have only enableSSHAgentAuth = true specified and expect it to have no effect, which is just silly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -223,7 +223,7 @@ in | |||
|
|||
environment.systemPackages = [ sudo ]; | |||
|
|||
security.pam.services.sudo = { sshAgentAuth = true; }; | |||
security.pam.services.sudo = lib.optionalAttrs config.security.pam.enableSSHAgentAuth { sshAgentAuth = true; }; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it probably makes more sense to move this definition to the pam.nix
module instead, then option definition and use is in the same file.
I see this commit has been sufficiently fixed in ba1fa0c for me. |
already fixed by another commit |
This variant of the old sshAgentAuth is useful, if sudo is
being used by authenticating as the user and not
as root as is the default as user could normally just
edit the ~/.ssh/authorized_keys to get access as root.
Motivation for this change
Make pam_ssh_agent_auth useful for sudo default settings
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)