nixos/pam: Warn on insecure sshAgentAuth configurations

This commit is contained in:
nicoo 2023-12-29 21:35:46 +00:00
parent 822c0a86bd
commit 9ed1423dcf
2 changed files with 15 additions and 1 deletions

View file

@ -1477,6 +1477,16 @@ in
} }
]; ];
warnings = optional
(with lib; with config.security.pam.sshAgentAuth;
enable && any (s: hasPrefix "%h" s || hasPrefix "~" s) authorizedKeysFiles)
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
Specifying user-writeable files there result in an insecure configuration:
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.
See https://github.com/NixOS/nixpkgs/issues/31611
'';
environment.systemPackages = environment.systemPackages =
# Include the PAM modules in the system path mostly for the manpages. # Include the PAM modules in the system path mostly for the manpages.
[ pkgs.pam ] [ pkgs.pam ]

View file

@ -15,7 +15,11 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
foo.isNormalUser = true; foo.isNormalUser = true;
}; };
security.pam.sshAgentAuth.enable = true; security.pam.sshAgentAuth = {
# Must be specified, as nixpkgs CI expects everything to eval without warning
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
enable = true;
};
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = { security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
enable = true; enable = true;
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer