nixos/sshd: warn if no authorized keys, and no authentication method other than pubkeys, were configured

This commit is contained in:
nicoo 2024-09-17 16:46:24 +00:00
parent 1f08575e3a
commit 6c62fbf539

View File

@ -108,6 +108,10 @@ let
};
usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
));
authKeysFiles = let
mkAuthKeyFile = u: lib.nameValuePair "ssh/authorized_keys.d/${u.name}" {
mode = "0444";
@ -116,9 +120,6 @@ let
${lib.concatMapStrings (f: lib.readFile f + "\n") u.openssh.authorizedKeys.keyFiles}
'';
};
usersWithKeys = lib.attrValues (lib.flip lib.filterAttrs config.users.users (n: u:
lib.length u.openssh.authorizedKeys.keys != 0 || lib.length u.openssh.authorizedKeys.keyFiles != 0
));
in lib.listToAttrs (map mkAuthKeyFile usersWithKeys);
authPrincipalsFiles = let
@ -545,6 +546,17 @@ in
config = lib.mkIf cfg.enable {
warnings = lib.optional (with cfg; lib.all lib.id [
# ~/.ssh/authorized_keys is ignored and no custom file locations were set
(authorizedKeysFiles == [ "/etc/ssh/authorized_keys.d/%u" ])
# no command provides authorized keys
(authorizedKeysCommand == "none")
# no users have keys in declarative configuration
(usersWithKeys == [])
# no authentication methods other than public keys are configured
((settings.PasswordAuthentication == false && !package.withKerberos) || settings.AuthenticationMethods == [ "publickey" ])
]) "services.openssh: no keys were set in `users.users.*.openssh.authorizedKeys` and `~/.ssh/authorized_keys` will be ignored";
users.users.sshd =
{
isSystemUser = true;