New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh: use ssh-keysign from PATH #63585
Conversation
@GrahamcOfBorg eval |
I'd prefer not adding setuid binaries unless it's absolutely necessary. |
Does this configure where the ssh client expects to find this binary on a remote server? Or is it where a server expects to find this binary on itself? |
It's where the client expects to find |
I'm quite purposely not enabling the setuid wrapper by default, and unless we're committing to "host-based authentication doesn't work on NixOS", it is indeed necessary. If we're committing to making functionality unusable for the sake of decreasing the SUID binary count, I'd rather start with gnome-keyring-daemon than OpenSSH, and review all the others. It's also worth noting that even with the wrapper enabled, it is entirely inactive without |
Could we instead pass this value in as an SSH configuration option, in the /etc/ssh/ssh_config file? |
That would cause every unpatched OpenSSH to crash:
|
You can use |
Okay, so I guess that's an option. There doesn't seem to be a sensible distro-independent default, anyhow. It lives at |
If anything, I'm tending towards either "just take it from |
If anything, I'm tending towards either "just take it from
`PATH`" or "just take it from SSH client config" to quiet the
arguments. I was reluctant to do either because the normal
mechanism hardcodes a root-controlled purpose-named location, but
as far as I can tell `ssh-keysign` doesn't really receive
anything sensitive, certainly no more so than whoever controls
`SSH_AUTH_SOCK`.
I think we should just take in from PATH, then.
This doesn't actually make anything work on non-NixOS without
user intervention either, but at least rids us of the
`/run/wrappers` boogeyman. We can even {default,fall back} to the
Nix store path as we do now and remain compatible with the
running-as-root case without additional configuration, if anyone
really wants to push that case.
I don't think this is worth worrying about.
|
ssh-keysign is used for host-based authentication, and is designed to be used as SUID-root program. OpenSSH defaults to referencing it from libexec, which cannot be made SUID in Nix.
I'm expecting using |
Motivation for this change
ssh-keysign is used for host-based authentication, and is designed to be used
as SUID-root program. OpenSSH defaults to referencing it from libexec, which
cannot be made SUID in Nix.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)