Merge pull request #277626 from nbraud/nixos/pam/ssh-agent-auth-31611…

…-fix nixos/pam: Use secure default for `sshAgentAuth.authorizedKeysFiles`
NixOS · Apr 28, 2024 · deed6fb · deed6fb
2 parents f9a24ef + bd6966b
commit deed6fb
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 7 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -201,6 +201,20 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `himalaya` was updated to v1.0.0-beta.4, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta.4) for details.
 
+- `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only**
+  `authorized_keys` files listed in [`sshAgentAuth.authorizedKeysFiles`] are trusted,
+  defaulting to `/etc/ssh/authorized_keys.d/%u`.
+  ::: {.warning}
+  Users of {manpage}`pam_ssh_agent_auth(8)` must take care that the pubkeys they use (for instance with `sudo`)
+  are listed in [`sshAgentAuth.authorizedKeysFiles`]..
+  :::
+  ::: {.note}
+  Previously, all `services.openssh.authorizedKeysFiles` were trusted, including `~/.ssh/authorized_keys`,
+  which results in an **insecure** configuration; see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
+  :::
+
+[`sshAgentAuth.authorizedKeysFiles`]: #opt-security.pam.sshAgentAuth.authorizedKeysFiles
+
 - The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.
 
 - `programs.nix-ld.libraries` no longer sets `baseLibraries` via the option's default but in config and now merges any additional libraries with the default ones.
@@ -572,10 +586,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - `mockgen` package source has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
 
-- `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`
-  option was added, to control which `authorized_keys` files are trusted.  It defaults to the previous behaviour,
-  **which is insecure**: see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
-
 - [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.
 
 - [TODO: reword to place an attribute at the front] A new top-level package set, `pkgsExtraHardening` is added. This is a set of packages built with stricter hardening flags - those that have not yet received enough testing to be applied universally, those that are more likely to cause build failures or those that have drawbacks to their use (e.g. performance or required hardware features).

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
@@ -1044,9 +1044,7 @@ in
           See [issue #31611](https://github.com/NixOS/nixpkgs/issues/31611)
           :::
         '';
-        example = [ "/etc/ssh/authorized_keys.d/%u" ];
-        default = config.services.openssh.authorizedKeysFiles;
-        defaultText = literalExpression "config.services.openssh.authorizedKeysFiles";
+        default = [ "/etc/ssh/authorized_keys.d/%u" ];
       };
     };