nixos/pam: safe defaults for pam_ssh_agent_auth #62317
Conversation
| This option has been deprecated due to a security vunerability. Read | ||
| the 19.09 release notes for more informations and the replacing options. | ||
| ''; } | ||
| ]; |
There was a problem hiding this comment.
You could remove options.security.pam.enableSSHAgentAuth and use mkRemovedOptionModule with the text of this assertion instead. Less code. :)
There was a problem hiding this comment.
I wish I could but I need assertion because it throw, mkRemovedOptionModule only add a warnings which doesn't:
Lines 592 to 602 in f712061
I don't want someone to be locked out of their systems because of the breaking change.
There was a problem hiding this comment.
Since #69419 mkRemovedOptionModule throws, so it should be usable for this now
bricewge
force-pushed
the
pam-ssh-agent-vulnerability
branch
2 times, most recently
from
7778996
to
0a27261
Compare
Replaces option security.pam.enableSSHAgentAuth with
security.pam.sshAgentAuth.{enable,authorizedKeys} defaulting to
safe defaults.
bricewge
force-pushed
the
pam-ssh-agent-vulnerability
branch
from
0a27261
to
fdecc4d
Compare
|
I didn't managed to removed the related entry in EDIT: BTW I think that |
|
This is great, but didn't we have a more visible way to document breaking changes in a release? |
|
ping (triage) |
| This option has been deprecated due to a security vunerability. Read | ||
| the 19.09 release notes for more informations and the replacing options. | ||
| ''; } | ||
| ]; |
There was a problem hiding this comment.
Since #69419 mkRemovedOptionModule throws, so it should be usable for this now
| The <option>security.pam.enableSSHAgentAuth</option> module has been | ||
| removed because it allowed a privilege escalation from any program running as the user. | ||
| The options replacing it don't have the same default and may lock you out of your | ||
| system, be extremly careful when migrating! |
There was a problem hiding this comment.
| system, be extremly careful when migrating! | |
| system, be extremely careful when migrating! |
(or just very careful)
| @@ -544,13 +544,40 @@ in | |||
| default = false; | |||
| description = | |||
| '' | |||
| Deprecated option, see release note for 19.09. | |||
There was a problem hiding this comment.
| Deprecated option, see release note for 19.09. | |
| Deprecated option, see release notes for 19.09. |
| assertions = [ | ||
| { assertion = !config.security.pam.enableSSHAgentAuth; | ||
| message = '' | ||
| This option has been deprecated due to a security vunerability. Read |
There was a problem hiding this comment.
| This option has been deprecated due to a security vunerability. Read | |
| This option has been deprecated due to a security vulnerability. Read |
|
I don't use NixOs anymore. Please take in hand this PR if you want it to be merged. |
Motivation for this change
Fixes #31611, replace #32178 and advance #43716.
Things done
BREAKING CHANGES
security.pam.enableSSHAgentAuthwithsecurity.pam.sshAgentAuth.{enable,authorizedKeys}defaulting to safe defaults.pam_ssh_agent_authsudodon't preserveSSH_AUTH_SOCKanymoresandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)