colin
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #305742 from tomfitzhenry/ssh-no-pam 

nixos/ssh: expose UsePAM and PrintMotd as options
This commit is contained in:
Thomas Gerbet 2024-04-24 09:40:24 +02:00 committed by GitHub
parent 7ff9349968 3fd9ef4b40
commit ecd2d35be0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 47 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -346,6 +346,7 @@ in
violates the privacy of users and is not recommended.
'';
};
UsePAM = mkEnableOption "PAM authentication" // { default = true; };
UseDns = mkOption {
type = types.bool;
# apply if cfg.useDns then "yes" else "no"
@ -489,6 +490,8 @@ in
{manpage}`sshd_config(5)` for details.
'';
};
# Disabled by default, since pam_motd handles this.
PrintMotd = mkEnableOption "printing /etc/motd when a user logs in interactively";
};
});
};
@ -622,7 +625,7 @@ in
networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports;
security.pam.services.sshd =
security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
{ startSession = true;
showMotd = true;
unixAuth = cfg.settings.PasswordAuthentication;
@ -638,8 +641,6 @@ in
services.openssh.extraConfig = mkOrder 0
''
UsePAM yes
Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
@ -657,7 +658,6 @@ in
${optionalString cfg.allowSFTP ''
Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags}
''}
PrintMotd no # handled by pam_motd
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
${optionalString (cfg.authorizedKeysCommand != "none") ''
AuthorizedKeysCommand ${cfg.authorizedKeysCommand}

56
nixos/tests/openssh.nix
View File

@ -22,6 +22,19 @@ in {
];
};
server-allowed-users =
{ ... }:
{
services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
users.groups = { alice = { }; bob = { }; carol = { }; };
users.users = {
alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
};
};
server-lazy =
{ ... }:
@ -95,17 +108,21 @@ in {
};
};
server_allowedusers =
{ ... }:
server-no-pam =
{ pkgs, ... }:
{
services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
users.groups = { alice = { }; bob = { }; carol = { }; };
users.users = {
alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
programs.ssh.package = pkgs.opensshPackages.openssh.override {
withPAM = false;
};
services.openssh = {
enable = true;
settings = {
UsePAM = false;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
client =
@ -119,8 +136,10 @@ in {
start_all()
server.wait_for_unit("sshd", timeout=30)
server_allowed_users.wait_for_unit("sshd", timeout=30)
server_localhost_only.wait_for_unit("sshd", timeout=30)
server_match_rule.wait_for_unit("sshd", timeout=30)
server_no_pam.wait_for_unit("sshd", timeout=30)
server_lazy.wait_for_unit("sshd.socket", timeout=30)
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
@ -166,8 +185,9 @@ in {
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
# The final segment in this IP is allocated according to the alphabetical order of machines in this test.
client.succeed(
"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true",
"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.5 true",
timeout=30
)
@ -198,15 +218,25 @@ in {
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true",
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true",
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true",
timeout=30
)
client.fail(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true",
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
timeout=30
)
with subtest("no-pam"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
timeout=30
)
'';