New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/installer: enable sshd by default #96991
Conversation
@Mic92 This does seem easier. I believe there's also documentation in the nixos manual, could you also update that? |
Yes. I want to gather some feedback and than put it in both the installation manual as well as the change-log. |
Gotcha, added todo's in the OP |
Can we also have it spit out it's current IP to TTY after auto-login? Just so we don't have to nmap our own network or boot up our router mgmt software just to check leases? |
dynamic motd? I would leave this for a different pr. |
@Mic92 I don't think it needs to be as complicated as that, since autologin happens it can be placed in |
@jonringer is this something we should backport to 20.09? The change itself is simple but makes installing on headless hardware a lot easier. |
@lheckemann please review. |
I'm fine with having it on by default, but I would like to make sure that the default configuration.nix reflects it, so that people who don't want it on by default aren't surprised |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor phrasing suggestions, I even hesitated to select "Request changes" rather than comment here.
@jonringer, just checking, but this only affects the installation-device profile. This means that there is no functional change in defaults elsewhere than on installer isos and installer SD images. |
Right now the UX for installing NixOS on a headless system is very bad. To enable sshd without physical steps users have to have either physical access or need to be very knowledge-able to figure out how to modify the installation image by hand to put an `sshd.service` symlink in the right directory in /nix/store. This is in particular a problem on ARM SBCs (single board computer) but also other hardware where network is the only meaningful way to access the hardware. This commit enables sshd by default. This does not give anyone access to the NixOS installer since by default. There is no user with a non-empty password or key. It makes it easy however to add ssh keys to the installation image (usb stick, sd-card on arm boards) by simply mounting it and adding a keys to `/root/.ssh/authorized_keys`. Importantly this should not require nix/nixos on the machine that prepare the installation device and even feasiable on non-linux systems by using ext4 third party drivers. Potential new threats: Since this enables sshd by default a potential bug in openssh could lead to remote code execution. Openssh has a very good track-record over the last 20 years, which makes it far more likely that Linux itself would have a remote code execution vulnerability. It is trusted by millions of servers on many operating systems to be exposed to the internet by default. Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
The installer does not have a configuration.nix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This time, only minor english issues.
Everything else is fine AFAICT.
Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, was on my phone earlier, this LGTM
Co-authored-by: Jon <jonringer@users.noreply.github.com>
Backported in ed44326 |
(cherry picked from commit ec49caa)
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Right now the UX for installing NixOS on a headless system is very bad.
To enable sshd without physical steps users have to have either physical
access or need to be very knowledge-able to figure out how to modify the
installation image by hand to put an
sshd.service
symlink in theright directory in /nix/store. This is in particular a problem on ARM
SBCs (single board computer) but also other hardware where network is
the only meaningful way to access the hardware.
This commit enables sshd by default. This does not give anyone access to
the NixOS installer since by default. There is no user with a non-empty
password or key. It makes it easy however to add ssh keys to the
installation image (usb stick, sd-card on arm boards) by simply mounting
it and adding a keys to
/root/.ssh/authorized_keys
.Importantly this should not require nix/nixos on the machine that
prepare the installation device and even feasible on non-linux systems
by using ext4 third party drivers.
Potential new threats: Since this enables sshd by default a
potential bug in openssh could lead to remote code execution. Openssh
has a very good track-record over the last 20 years, which makes it
far more likely that Linux itself would have a remote code execution
vulnerability. It is trusted by millions of servers on many operating
systems to be exposed to the internet by default.
Motivation for this change
Todo
update installation manual docs
add changelog entry
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)