Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mutable users vs authorizedKeysFiles #42526

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Mutable users vs authorizedKeysFiles #42526

wants to merge 2 commits into from

Conversation

ip1981
Copy link
Contributor

@ip1981 ip1981 commented Jun 24, 2018

No mutable SSH keys by default for immutable users

There are security concerns: someone could upload a new SSH key,
and we will never know. This still can be extended or overridden.

The %h placeholder is added to fit both sshd_config and pam_ssh_agent_auth.
Also synchronize keys with openssh.

@ip1981 ip1981 mentioned this pull request Jun 24, 2018
Closed
LnL7
LnL7 reviewed Jun 24, 2018
View reviewed changes
Copy link
Member

@LnL7 LnL7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes behaviour and might break existing setups, this definitively needs a changelog entry. And maybe we should keep the current behaviour for stateVersion < 18.09 to avoid potentially loosing access after upgrading.

adisbladis
adisbladis reviewed Jun 25, 2018
View reviewed changes
nixos/modules/security/pam.nix Outdated
@@ -287,7 +287,7 @@ let
${optionalString cfg.logFailures
"auth required pam_tally.so"}
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${concatStringsSet ":" config.services.openssh.authorizedKeysFiles}"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

concatStringsSet -> concatStringsSep

@ip1981
pam_ssh_agent_auth: synchronize keys with openssh
92131c6
@ip1981
No mutable SSH keys by default for immutable users
74f0263 
There are security concerns: someone could upload a new SSH key,
and we will never know. This still can be extended or overridden.

The %h placeholder is added to fit both sshd_config and
pam_ssh_agent_auth.
tomberek
tomberek requested changes Apr 10, 2019
View reviewed changes
Copy link
Contributor

@tomberek tomberek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may be surprising, so it can use a bit of documentation under mutableUsers. Otherwise it's a good idea.

@bricewge
Copy link
Contributor

This PR is related with the security vulnerability #31611. I don't think this should be merged as is until the issue is resolved.

fpletz
fpletz requested changes Jun 2, 2019
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 on the change in principle.

I wonder if a special option like users.mutableUserSshKeys that defaults on the value of users.mutableUsers might make sense for people depending on the old behaviour with users.mutableUsers turned on. Or at least mention changing services.openssh.authorizedKeysFiles in the release notes, which we btw also need since this is a breaking change.

nixos/modules/security/pam.nix
@@ -287,7 +287,7 @@ let
${optionalString cfg.logFailures
"auth required pam_tally.so"}
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change will be obsolete by #62317.

@fpletz fpletz added this to the 19.09 milestone Jun 2, 2019
@stale
Copy link

stale bot commented Jun 2, 2020

Thank you for your contributions.
This has been automatically marked as stale because it has had no activity for 180 days.
If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity.
Here are suggestions that might help resolve this more quickly:

  1. Search for maintainers and people that previously touched the
    related code and @ mention them in a comment.
  2. Ask on the NixOS Discourse. 3. Ask on the #nixos channel on
    irc.freenode.net.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 2, 2020
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 18, 2021
@SuperSandro2000
Copy link
Member

@ip1981 please resolve the merge conflict.

@veprbl veprbl removed this from the 19.09 milestone May 31, 2021
@stale
Copy link

stale bot commented Jan 9, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 9, 2022
@wegank wegank marked this pull request as draft March 20, 2024 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisbladis adisbladis adisbladis left review comments

@LnL7 LnL7 LnL7 left review comments

@fpletz fpletz fpletz requested changes

@tomberek tomberek tomberek requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
2.status: merge conflict 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
9 participants
@ip1981 @bricewge @SuperSandro2000 @adisbladis @fpletz @tomberek @LnL7 @veprbl @GrahamcOfBorg