Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/installer: enable sshd by default #96991

Merged
merged 3 commits into from Sep 10, 2020
Merged

nixos/installer: enable sshd by default #96991

merged 3 commits into from Sep 10, 2020

Conversation

Mic92
Copy link
Member

@Mic92 Mic92 commented Sep 3, 2020
edited

Right now the UX for installing NixOS on a headless system is very bad.
To enable sshd without physical steps users have to have either physical
access or need to be very knowledge-able to figure out how to modify the
installation image by hand to put an sshd.service symlink in the
right directory in /nix/store. This is in particular a problem on ARM
SBCs (single board computer) but also other hardware where network is
the only meaningful way to access the hardware.

This commit enables sshd by default. This does not give anyone access to
the NixOS installer since by default. There is no user with a non-empty
password or key. It makes it easy however to add ssh keys to the
installation image (usb stick, sd-card on arm boards) by simply mounting
it and adding a keys to /root/.ssh/authorized_keys.
Importantly this should not require nix/nixos on the machine that
prepare the installation device and even feasible on non-linux systems
by using ext4 third party drivers.

Potential new threats: Since this enables sshd by default a
potential bug in openssh could lead to remote code execution. Openssh
has a very good track-record over the last 20 years, which makes it
far more likely that Linux itself would have a remote code execution
vulnerability. It is trusted by millions of servers on many operating
systems to be exposed to the internet by default.

Motivation for this change
Todo

  • update installation manual docs

  • add changelog entry

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Mic92 Mic92 requested a review from samueldr September 3, 2020 03:19
@worldofpeace
Copy link
Contributor

@Mic92 This does seem easier. I believe there's also documentation in the nixos manual, could you also update that?

@Mic92
Copy link
Member Author

Mic92 commented Sep 3, 2020

Yes. I want to gather some feedback and than put it in both the installation manual as well as the change-log.

@worldofpeace
Copy link
Contributor

Yes. I want to gather some feedback and than put it in both the installation manual as well as the change-log.

Gotcha, added todo's in the OP

@colemickens
Copy link
Member

Can we also have it spit out it's current IP to TTY after auto-login? Just so we don't have to nmap our own network or boot up our router mgmt software just to check leases?

@Mic92
Copy link
Member Author

Mic92 commented Sep 3, 2020

Can we also have it spit out it's current IP to TTY after auto-login? Just so we don't have to nmap our own network or boot up our router mgmt software just to check leases?

dynamic motd? I would leave this for a different pr.

@lheckemann
Copy link
Member

@Mic92 I don't think it needs to be as complicated as that, since autologin happens it can be placed in environment.interactiveShellInit.

@Mic92
Copy link
Member Author

Mic92 commented Sep 6, 2020

@jonringer is this something we should backport to 20.09? The change itself is simple but makes installing on headless hardware a lot easier.

@Mic92
Copy link
Member Author

Mic92 commented Sep 6, 2020

@lheckemann please review.

@jonringer
Copy link
Contributor

I'm fine with having it on by default, but I would like to make sure that the default configuration.nix reflects it, so that people who don't want it on by default aren't surprised

samueldr
samueldr requested changes Sep 6, 2020
View reviewed changes
Copy link
Member

@samueldr samueldr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor phrasing suggestions, I even hesitated to select "Request changes" rather than comment here.

nixos/doc/manual/installation/installing.xml Outdated Show resolved Hide resolved
nixos/doc/manual/installation/installing.xml Outdated Show resolved Hide resolved
nixos/doc/manual/installation/installing.xml Show resolved Hide resolved
nixos/doc/manual/release-notes/rl-2009.xml Outdated Show resolved Hide resolved
@samueldr
Copy link
Member

samueldr commented Sep 6, 2020

I'm fine with having it on by default, but I would like to make sure that the default configuration.nix reflects it, so that people who don't want it on by default aren't surprised

@jonringer, just checking, but this only affects the installation-device profile. This means that there is no functional change in defaults elsewhere than on installer isos and installer SD images.

@Mic92 @samueldr
nixos/installer: enable sshd by default
a5872ed 
Right now the UX for installing NixOS on a headless system is very bad.
To enable sshd without physical steps users have to have either physical
access or need to be very knowledge-able to figure out how to modify the
installation image by hand to put an `sshd.service` symlink in the
right directory in /nix/store. This is in particular a problem on ARM
SBCs (single board computer) but also other hardware where network is
the only meaningful way to access the hardware.

This commit enables sshd by default. This does not give anyone access to
the NixOS installer since by default. There is no user with a non-empty
password or key. It makes it easy however to add ssh keys to the
installation image (usb stick, sd-card on arm boards) by simply mounting
it and adding a keys to `/root/.ssh/authorized_keys`.
Importantly this should not require nix/nixos on the machine that
prepare the installation device and even feasiable on non-linux systems
by using ext4 third party drivers.

Potential new threats: Since this enables sshd by default a
potential bug in openssh could lead to remote code execution. Openssh
has a very good track-record over the last 20 years, which makes it
far more likely that Linux itself would have a remote code execution
vulnerability. It is trusted by millions of servers on many operating
systems to be exposed to the internet by default.

Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
@Mic92
Copy link
Member Author

Mic92 commented Sep 6, 2020

I'm fine with having it on by default, but I would like to make sure that the default configuration.nix reflects it, so that people who don't want it on by default aren't surprised

The installer does not have a configuration.nix.

samueldr
samueldr requested changes Sep 6, 2020
View reviewed changes
Copy link
Member

@samueldr samueldr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This time, only minor english issues.

Everything else is fine AFAICT.

nixos/doc/manual/installation/installing.xml Outdated Show resolved Hide resolved
@Mic92 @samueldr
Update nixos/doc/manual/installation/installing.xml
60d30e1 
Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
jonringer
jonringer approved these changes Sep 7, 2020
View reviewed changes
Copy link
Contributor

@jonringer jonringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, was on my phone earlier, this LGTM

nixos/doc/manual/installation/installing.xml Outdated Show resolved Hide resolved
@worldofpeace @jonringer
Update nixos/doc/manual/installation/installing.xml
0e7f6a8 
Co-authored-by: Jon <jonringer@users.noreply.github.com>
@jonringer jonringer added the 9.needs: port to stable A PR needs a backport to the stable release. label Sep 8, 2020
@Mic92 Mic92 merged commit 940195c into NixOS:master Sep 10, 2020
@Mic92 Mic92 deleted the sshd branch September 10, 2020 04:13
@Mic92
Copy link
Member Author

Mic92 commented Sep 10, 2020
edited

Backported in ed44326

vcunat added a commit that referenced this pull request Sep 10, 2020
@vcunat
nixos release notes: fixup build after #96991
ec49caa
vcunat added a commit that referenced this pull request Sep 10, 2020
@vcunat
nixos release notes: fixup build after #96991
5c60bbb 
(cherry picked from commit ec49caa)
@edrex edrex mentioned this pull request Apr 16, 2021
Closed
@avdv avdv mentioned this pull request May 26, 2021
Merged
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/hello-folks-what-is-the-default-username-and-password-for-nixos-for-raspberry-pi/36897/5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samueldr samueldr samueldr requested changes

@jonringer jonringer jonringer approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 9.needs: port to stable A PR needs a backport to the stable release. 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@Mic92 @worldofpeace @colemickens @lheckemann @jonringer @samueldr @nixos-discourse