Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssh: use symlinks for authorizedKeys options #976

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

ssh: use symlinks for authorizedKeys options #976

wants to merge 2 commits into from

Conversation

emilazy
Copy link
Collaborator

@emilazy emilazy commented Jun 15, 2024

This is a security fix over a year in the making; I wish I had been able to get it out sooner. Anyone using AuthorizedKeysCommand for something else will need to ensure they set it in a later file than 101-authorized-keys.conf, but hopefully anyone with that customized an SSH setup knows what they’re doing, and I’m not sure how we could better signal that; I doubt anyone reads the changelog but not merged PRs.

This does mean that the Nix store failing to mount could lead to an SSH lock‐out; I’m not sure how we could handle that elegantly and it seems difficult to recover from without direct access anyway (what if your shell is in the Nix store anyway?). It’s possible we could do an ad‐hoc recreation of copy here that operates unconditionally on the entire directory, I guess.

@emilazy
ssh: use symlinks for authorizedKeys options
b833d4a 
As explained in the changelog and activation check, the previous
implementation had a nasty security bug that made removing a user’s
authorized keys effectively a no‐op.
@emilazy
write-text: remove support for copy
36a15e8 
This is a huge anti‐declarative footgun; `copy` files cannot
distinguish if a previous version is managed by nix-darwin, so they
can’t check the hash, so they’re prone to destroying data, and
copied files are not deleted when they’re removed from the system
configuration, which led to a security bug. Nothing else in‐tree
was using this functionality, so let’s make sure it doesn’t
cause any more bugs.
@emilazy emilazy requested a review from Enzime June 15, 2024 11:16
@emilazy
Copy link
Collaborator Author

emilazy commented Jun 15, 2024

Incidentally it seems like our /etc code doesn’t clean up empty directories that consisted entirely of Nix store symlinks. That seems unfortunate, but I’m not sure how we could fix it. In this case it seems like it would be best for the entire /etc/ssh/nix_authorized_keys.d directory to be a symlink; it would be easy to handle deleting them in that case. Not sure why it doesn’t work like that presently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Enzime Enzime Awaiting requested review from Enzime

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@emilazy