nixos/pam: Warn on insecure sshAgentAuth
configurations
This commit is contained in:
parent
822c0a86bd
commit
9ed1423dcf
2 changed files with 15 additions and 1 deletions
|
@ -1477,6 +1477,16 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
|
warnings = optional
|
||||||
|
(with lib; with config.security.pam.sshAgentAuth;
|
||||||
|
enable && any (s: hasPrefix "%h" s || hasPrefix "~" s) authorizedKeysFiles)
|
||||||
|
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
|
||||||
|
|
||||||
|
Specifying user-writeable files there result in an insecure configuration:
|
||||||
|
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.
|
||||||
|
See https://github.com/NixOS/nixpkgs/issues/31611
|
||||||
|
'';
|
||||||
|
|
||||||
environment.systemPackages =
|
environment.systemPackages =
|
||||||
# Include the PAM modules in the system path mostly for the manpages.
|
# Include the PAM modules in the system path mostly for the manpages.
|
||||||
[ pkgs.pam ]
|
[ pkgs.pam ]
|
||||||
|
|
|
@ -15,7 +15,11 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
|
||||||
foo.isNormalUser = true;
|
foo.isNormalUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
security.pam.sshAgentAuth.enable = true;
|
security.pam.sshAgentAuth = {
|
||||||
|
# Must be specified, as nixpkgs CI expects everything to eval without warning
|
||||||
|
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
|
||||||
|
enable = true;
|
||||||
|
};
|
||||||
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
|
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
|
||||||
enable = true;
|
enable = true;
|
||||||
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
|
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
|
||||||
|
|
Loading…
Reference in a new issue