nixos/pam: Warn on insecure sshAgentAuth
configurations
This commit is contained in:
parent
822c0a86bd
commit
9ed1423dcf
2 changed files with 15 additions and 1 deletions
|
@ -1477,6 +1477,16 @@ in
|
|||
}
|
||||
];
|
||||
|
||||
warnings = optional
|
||||
(with lib; with config.security.pam.sshAgentAuth;
|
||||
enable && any (s: hasPrefix "%h" s || hasPrefix "~" s) authorizedKeysFiles)
|
||||
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
|
||||
|
||||
Specifying user-writeable files there result in an insecure configuration:
|
||||
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.
|
||||
See https://github.com/NixOS/nixpkgs/issues/31611
|
||||
'';
|
||||
|
||||
environment.systemPackages =
|
||||
# Include the PAM modules in the system path mostly for the manpages.
|
||||
[ pkgs.pam ]
|
||||
|
|
|
@ -15,7 +15,11 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
|
|||
foo.isNormalUser = true;
|
||||
};
|
||||
|
||||
security.pam.sshAgentAuth.enable = true;
|
||||
security.pam.sshAgentAuth = {
|
||||
# Must be specified, as nixpkgs CI expects everything to eval without warning
|
||||
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
|
||||
enable = true;
|
||||
};
|
||||
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
|
||||
enable = true;
|
||||
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
|
||||
|
|
Loading…
Reference in a new issue