Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/sshd: disable openFirewall by default #75454

Closed
wants to merge 0 commits into from
Closed

nixos/sshd: disable openFirewall by default #75454

wants to merge 0 commits into from

Conversation

bb2020
Copy link
Member

@bb2020 bb2020 commented Dec 10, 2019
edited

Motivation for this change

Please follow up to #81490

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@bb2020 bb2020 changed the title nixos/openssh: disable openFirewall by default nixos/sshd: disable openFirewall by default Dec 10, 2019
@Mic92
Copy link
Member

Mic92 commented Dec 10, 2019

Previous discussions about this: #19504 (comment) #19504 (comment)

@emmanuelrosa
Copy link
Contributor

I'm concerned about this because some NixOS systems may be unknowingly relying on the default setting (true) to open the SSH port on the firewall. Personally, I didn't even know this option existed.

What about removing the default setting altogether. Wouldn't that cause a build-time failure, forcing the system admin to explicitly set it to true or false?

In addition, given the change is not backwards compatible, I think it should be documented in the release notes.

@c0bw3b
Copy link
Contributor

c0bw3b commented Dec 11, 2019

Consensus up to now was that sshd was the only exception allowed to open a firewall port automatically.
Without it, it would be too easy for a user to lock himself out of a machine. Especially on a server machine deployed "in the cloud" with no other access to it (no recovery console or remote management).

If we were to disable that, I'm sure we would receive another PR to re-enable it pretty quickly.

Instead, maybe there is some doc to enhance to emphasize that the first things a concerned admin should do after a NixOS install is to look at and review the sshd config.

rycee
rycee reviewed Dec 19, 2019
View reviewed changes
nixos/modules/services/networking/ssh/sshd.nix Outdated
@@ -160,7 +160,7 @@ in

openFirewall = mkOption {
type = types.bool;
default = true;
default = false;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this particular case I don't believe the default should change but if it changes anyway then it should be for stateVersion ≥ 20.03 only.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've made the change anyway.

@Ma27
Copy link
Member

Ma27 commented Dec 21, 2019

👎 - As already stated we had these discussions in the past and we are (AFAIK) fine with having an open tcp/22 port for UX reasons.

I'm concerned about this because some NixOS systems may be unknowingly relying on the default setting (true) to open the SSH port on the firewall. Personally, I didn't even know this option existed.

Understandable. But I'd rather vote for adding either a warning (if only the default value is set) or to mention this in the manual at a more "prominent" position.

Without it, it would be too easy for a user to lock himself out of a machine. Especially on a server machine deployed "in the cloud" with no other access to it (no recovery console or remote management).

Full ack! I already found several corner cases that caused me to lock myself out of a remote NixOS. By disabling an open sshd by default we mainly add another possibility where users might lock themselves out their machines and a recovery from that is usually pretty painful.

What about removing the default setting altogether. Wouldn't that cause a build-time failure, forcing the system admin to explicitly set it to true or false?

In case there are more folks in favor of dropping that default, I'd be fine with this solution.

@aanderse
Copy link
Member

As discussed a number of times in the past this is on purpose. Some suggestions about throwing a warning seem like a good idea. Maybe forcing users to choose a value for ssh only is an acceptable solution?

What do you think @edolstra?

@bb2020 bb2020 closed this Feb 26, 2020
@bb2020 bb2020 mentioned this pull request Mar 2, 2020
Open
10 tasks
@lunik1 lunik1 mentioned this pull request Dec 9, 2021
Open
5 tasks
@pennae pennae mentioned this pull request Jan 17, 2022
Merged
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rycee rycee rycee left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@bb2020 @Mic92 @emmanuelrosa @c0bw3b @Ma27 @aanderse @rycee