diff options
| author | Emily <vcs@emily.moe> | 2023-07-16 16:59:43 +0100 |
|---|---|---|
| committer | Emily <vcs@emily.moe> | 2024-06-15 12:15:13 +0100 |
| commit | b833d4a32d965e6393a63b2c91b46eca2a5030d8 (patch) | |
| tree | 2e922c3020fd89242f372463aba64eb6d610ad49 /modules/system | |
| parent | 58b905ea87674592aa84c37873e6c07bc3807aba (diff) | |
ssh: use symlinks for `authorizedKeys` options
As explained in the changelog and activation check, the previous
implementation had a nasty security bug that made removing a user’s
authorized keys effectively a no‐op.
Diffstat (limited to 'modules/system')
| -rw-r--r-- | modules/system/checks.nix | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/modules/system/checks.nix b/modules/system/checks.nix index f0f03e8..d527aa8 100644 --- a/modules/system/checks.nix +++ b/modules/system/checks.nix @@ -202,6 +202,28 @@ let exit 2 fi ''; + + # TODO: Remove this a couple years down the line when we can assume + # that anyone who cares about security has upgraded. + oldSshAuthorizedKeysDirectory = '' + if [[ -d /etc/ssh/authorized_keys.d ]]; then + printf >&2 '\e[1;31merror: /etc/ssh/authorized_keys.d exists, aborting activation\e[0m\n' + printf >&2 'SECURITY NOTICE: The previous implementation of the\n' + printf >&2 '`users.users.<name>.openssh.authorizedKeys.*` options would not delete\n' + printf >&2 'authorized keys files when the setting for a given user was removed.\n' + printf >&2 '\n' + printf >&2 "This means that if you previously stopped managing a user's authorized\n" + printf >&2 'SSH keys with nix-darwin, or intended to revoke their access by\n' + printf >&2 'removing the option, the previous set of keys could still be used to\n' + printf >&2 'log in as that user.\n' + printf >&2 '\n' + printf >&2 'You can check the /etc/ssh/authorized_keys.d directory to see which\n' + printf >&2 'keys were permitted; afterwards, please remove the directory and\n' + printf >&2 're-run activation. The options continue to be supported and will now\n' + printf >&2 'correctly permit only the keys in your current system configuration.\n' + exit 2 + fi + ''; in { @@ -245,6 +267,7 @@ in (mkIf cfg.verifyNixChannels nixChannels) nixInstaller (mkIf cfg.verifyNixPath nixPath) + oldSshAuthorizedKeysDirectory ]; system.activationScripts.checks.text = '' |