nixos/pam: Use secure default for sshAgentAuth.authorizedKeysFiles
#277626
Conversation
github-actions
bot
added
6.topic: nixos
nbraud
added
1.severity: security
| - The `pam_ssh_agent_auth(8)` module now trusts files listed in `security.pam.sshAgentAuth.authorizedKeysFiles`, | ||
| defaulting to `/etc/ssh/authorized_keys.d/%u` only; previously, the set of trusted `authorized_keys` files wasn't | ||
| configurable and included `~/.ssh/authorized_keys` **which is insecure**: | ||
| see [#31611](https://github.com/NixOS/nixpkgs/issues/31611). | ||
|
|
There was a problem hiding this comment.
On one hand, this note could make it more obvious that upgrading could cause a user to lose access to anything protected by pam_ssh_agent_auth. On the other hand, they could always boot up an earlier configuration.
There was a problem hiding this comment.
Right. I'll try and think of a more-explicit wording, thanks <3
There was a problem hiding this comment.
@Majiir What do you think of the new wording?
|
Can't we also use |
No. That's the current behaviour (and remains the default after #277620) but it's insecure-by-default: The reason this is a problem is explained (and illustrated with exploitation steps) in #31611 PS: In case that was unclear, this PR includes the commits that are in #277620, but only 24536c0c0884f694d987b4b445403daa492c7357 is new here. |
I guess? That would be a breaking change for users of the 23.11 branch, in principle, and I expect the previous PR's warning to trigger on the vast majority of insecure configurations. |
nbraud
force-pushed
the
nixos/pam/ssh-agent-auth-31611-fix
branch
from
907127f to
24536c0
Compare
|
Rebased on the current version of #277620 |
|
Rebased after #266332 |
nbraud
force-pushed
the
nixos/pam/ssh-agent-auth-31611-fix
branch
from
24536c0 to
e129071
Compare
|
Rebased after #266332 |
nbraud
force-pushed
the
nixos/pam/ssh-agent-auth-31611-fix
branch
2 times, most recently
from
5775b42 to
c8f25bf
Compare
|
Rebased on current #277620, should be final. |
nbraud
added
needs_merger
|
@ofborg eval |
|
Rebased on the previous PR's merge commit, so GitHub shows the appropriate commit set and diff. Only change in file is from #276499 being merged : ❯ git --no-pager diff c8f25bf f5ed08f -- nixos/modules/security/pam.nix
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index aedcac44cf71..95aceeaccc5c 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -1473,6 +1473,13 @@ in
`security.pam.zfs.enable` requires enabling ZFS (`boot.zfs.enabled` or `boot.zfs.enableUnstable`).
'';
}
+ {
+ assertion = config.security.pam.enableSSHAgentAuth -> config.services.openssh.authorizedKeysFiles != [];
+ message = ''
+ `security.pam.enableSSHAgentAuth` requires `services.openssh.authorizedKeysFiles` to be a non-empty list.
+ Did you forget to set `services.openssh.enable` ?
+ '';
+ }
];
warnings = optional |
nbraud
force-pushed
the
nixos/pam/ssh-agent-auth-31611-fix
branch
from
c8f25bf to
f5ed08f
Compare
delroth
removed
the
12.approvals: 1
|
eval failure fixed in |
ofborg
bot
added
10.rebuild-darwin: 0
|
@ofborg test ssh-agent-auth |
|
Rebased due to merge conflict in release notes. No change. |
nbraud
force-pushed
the
nixos/pam/ssh-agent-auth-31611-fix
branch
from
f5ed08f to
bd6966b
Compare
|
@ofborg test ssh-agent-auth |
wegank
added
the
12.approvals: 3+
|
When this is released, are there any safeguards (edit: other than a warning explaining the change in abstract) to prevent a system admin from accidentally locking themselves out through misunderstanding the implications? Is there any way to make it crystal clear exactly which authorized keys will be affected on a system? |
Unfortunately given that the root cause comes from a default setting with a wrong value I do not see a lot of options. The probability of being locked out seems to be quite low:
This is not ideal but keeping this footgun around is also not :/ |
| @@ -47,6 +47,20 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m | |||
|
|
|||
| - `himalaya` was updated to v1.0.0-beta, which introduces breaking changes. Check out the [release note](https://github.com/soywod/himalaya/releases/tag/v1.0.0-beta) for details. | |||
|
|
|||
| - `security.pam.enableSSHAgentAuth` was replaced by the `sshAgentAuth` attrset, and **only** | |||
There was a problem hiding this comment.
This should use the renamed option which I think got dropped below and was at some point later re-added #316884
Follow-up on #277620, blocked until it is merged.
Description of changes
Change the default value of
security.pam.sshAgentAuth.authorizedKeysFilesto[ "/etc/ssh/authorized_keys.d/%u" ].This breaks backwards-compatibility to fix a security vulnerability: #31611
Things done
nixosTests.ssh-agent-authonce Add NixOS test forsecurity.pam.enableSSHAgentAuth#266332 is merged.Add a 👍 reaction to pull requests you find important.