Instead of the somewhat hacky script that inserted public keys
into the users' .ssh/authorized_keys files, use the AuthorizedKeysFile
configuration directive in sshd_config and generate extra key
files for each user (placed in /etc/authorized_keys.d/).
My main reason for adding this is the ability to turn off helpers
altogether. If you are not using any of the special protocols, keeping
them turned off is safest, and in case you do want to use them, it's
best to configure them through the new CT target for your network
topology. Perhaps some sane defaults for nixos can be examined in the
future.
This change has no impact if you don't touch the added options, so no
need to adapt.
This is meant to replace /proc/sys/net/ipv4/conf/*/rp_filter, which
only works for ipv4. Furthermore, it's nicer to handle this kind of
filtering in the firewall.
There are some more subtle differences, please see:
https://home.regit.org/netfilter-en/secure-use-of-helpers/
I chose to enable this by default (when the firewall is enabled) as
it's a good idea in general. Only people with advanced routing needs
might not want this, but I guess they don't use the nixos firewall
anyway and use a custom solution. Furthermore, the option only becomes
available in kernel 3.3+, so conservative nixos users that just stick
to the default kernel will not need to act now just yet.
* Add group 'networkmanager' and implement polkit configuration
that allows users in this group to make persistent, system-wide
changes to NetworkManager settings.
* Add support for ModemManager. 3G modems should work out of the
box now (it does for me...). This introduces a dependency on
pkgs.modemmanager.
* Write NetworkManger config file to Nix store, and let the
daemon use it from there.
Ugly hack to get around the error "a string that refers to a store
path cannot be appended to a path". The underlying problem is that
you cannot do
"${./file1} ${./file2}"
but you can do
" ${./file1} ${./file2}"
Obviously we should allow the first case as well.
I remember the 'named' log was giving annoying messages on systems not ipv6
capable (I can't recall if lacking the kernel ipv6 code or unconfigured ipv6
addresses).
svn path=/nixos/trunk/; revision=34419
are included in the manual, so this causes a different manual to be
built for each machine.
* Clean up indentation of cntlm module.
svn path=/nixos/trunk/; revision=34387
interfaces black-listed for dhcpcd via configuration.nix. I use this option to
disable DHCP for "veth*" interfaces, which are created by LXC for use inside of
virtual machines.
svn path=/nixos/trunk/; revision=34018
lines below a certain marker. This is undesirable because commands
like "ssh-copy-id" add keys to the end of the file. Instead mark
all automatically added lines individually.
svn path=/nixos/trunk/; revision=33918
challenge-response is an authentication method that does not need the
plain text password to be emitted over the (encrypted) connection.
This is nice if you don't fully trust the server.
It is enabled (upstream) by default.
To the end user, it still looks like normal password authentication,
but instead of sending it, it is used to hash some challenge.
This means that if you don't want passwords to be used ever at all,
and just stick to public key authentication, you probably want to
disable this option too.
svn path=/nixos/trunk/; revision=33513
wpa_gui or wpa_cli.
Comes with a default wpa_supplicant.conf, which gets updated through
aforementioned utilities.
svn path=/nixos/trunk/; revision=33510
You can now set the forwardX11 config option for the ssh client and server separately.
For server, the option means "allow clients to request X11 forwarding".
For client, the option means "request X11 forwarding by default on all connections".
I don't think it made sense to couple them. I might not even run the server on some machines.
Also, I ssh to a lot of machines, and rarely want X11 forwarding. The times I want it,
I use the -X/-Y option, or set it in my ~/.ssh/config.
I also decoupled the 'XAuthLocation' logic from forwardX11.
For my case where ssh client doesn't want forwarding by default, it still wants to set the path for the cases I do need it.
As this flag is the one that pulls in X11 dependencies, I changed the minimal profile and the no-x-libs config to check that instead now.
svn path=/nixos/trunk/; revision=33407
delete routes and addresses when it quits. This causes those routes
and addresses to stick around forever, since dhcpcd won't delete
them when it runs next (even if it acquires a new lease on the same
interface). This is bad; in particular the stale (default) routes
can break networking.
The downside to removing "persistent" is that you should never ever
do "stop dhcpcd" on a remote machine configured by dhcpcd.
svn path=/nixos/trunk/; revision=33388