Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 4de5d2b081c6
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 302df2a9a126
Choose a head ref
  • 2 commits
  • 3 files changed
  • 1 contributor

Commits on Nov 24, 2020

  1. pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles 

    If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
    @adisbladis
    adisbladis committed Nov 24, 2020
    Copy the full SHA
    ba1fa0c View commit details

  2. Merge pull request #81661 from adisbladis/ssh-pam-sudo-keys 

    pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
    @adisbladis
    adisbladis authored Nov 24, 2020
    Copy the full SHA
    302df2a View commit details
Showing with 9 additions and 2 deletions.
  1. +7 −0 nixos/doc/manual/release-notes/rl-2103.xml
  2. +1 −1 nixos/modules/security/pam.nix
  3. +1 −1 nixos/modules/services/networking/ssh/sshd.nix
7 changes: 7 additions & 0 deletions nixos/doc/manual/release-notes/rl-2103.xml
View file
Original file line number Diff line number Diff line change
@@ -106,6 +106,13 @@
for more info.
</para>
</listitem>
<listitem>
<para>
Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.

WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!
</para>
</listitem>
<listitem>
<para>
The option <option>fonts.enableFontDir</option> has been renamed to
2 changes: 1 addition & 1 deletion nixos/modules/security/pam.nix
View file
Original file line number Diff line number Diff line change
@@ -396,7 +396,7 @@ let
${optionalString cfg.logFailures
"auth required pam_tally.so"}
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}
${optionalString cfg.fprintAuth
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
2 changes: 1 addition & 1 deletion nixos/modules/services/networking/ssh/sshd.nix
View file
Original file line number Diff line number Diff line change
@@ -477,7 +477,7 @@ in
# https://github.com/NixOS/nixpkgs/pull/10155
# https://github.com/NixOS/nixpkgs/pull/41745
services.openssh.authorizedKeysFiles =
[ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
[ "%h/.ssh/authorized_keys" "%h/.ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];

services.openssh.extraConfig = mkOrder 0
''