New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/sshd: disable openFirewall by default #81490
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By forcing the user to choose a value this satisfies the argument against unknowingly locking people out of their systems, as well as the argument for a more secure default 👍
If there were to be any change to this PR I might suggest that since this will impact a large number of users we might add an assertion which explains the situation nicer than the existing openFirewall
referenced but not declared error, which isn't overly nice or clear.
We should see if @edolstra finds this to be an acceptable compromise. This satisfies issues he has raised in the past, so I think there is a chance he would be accepting of this. |
d3bb37d
to
95d0e82
Compare
This would be okay, though I still think that the case where you want sshd enabled but you don't want it exposed in the firewall is a pretty rare one. So the current situation has my preference. |
One possible scenario would be having two interfaces and assigning one of them as trusted interface with |
This is my scenario. I set |
Of course you are right. This is a rare situation. However SSH is a dangerous thing when it is unchecked by firewall. I think we should maximize security whenever possible. |
if I'm not mistaken, it'll add an extra not that obvious step to the installation process - not only enable sshd but open port for it. |
@Frostman posting a clear message to the screen in an assertion if the user hasn't explicitly opened the firewall will clarify any confusion. All services except Personally I'm somewhat indifferent to this PR, but the change has been requested a number of times and it seems like a reasonable solution to me. Since @edolstra seems to find this solution acceptable enough maybe we just wait and see more opinions 🤷♂️ |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/ssh-openfirewall-exception/12066/1 |
AFAIU you won't if you didn't set |
You are correct @Ma27 - this PR forces the user to explicitly set a value... so no risk of breakage. |
So does this mean that the default configuration as it is today, made by Edit: Ah, I misremembered. You have to manually enable SSH anyway, so this just makes it a required option. I see. |
However, what about the installer image? SSH is enabled on that out-of-the-box. This is nice behavior in my view, because it allows easy provisioning, so even if this is merged, |
I tried to achieve that here. I am not sure if it is enough. |
I marked this as stale due to inactivity. → More info |
69b3d09
to
a895f9c
Compare
Opening SSH port on firewall is a security risk and it should be blocked by default.
I thought this was an urgent issue so I didn't use proper branching and had to create a new PR.
Sorry for the duplicate.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)