Unverified Commit db5f88c4 authored by nicoo's avatar nicoo Committed by GitHub
Browse files

nixos/ssh: Make `~/.ssh/authorized_keys` optional in AuthorizedKeysFiles (#279894)

parent 853580ca

nixos/doc/manual/release-notes/rl-2405.section.md

+11 −0
Original line number Diff line number Diff line
@@ -533,6 +533,17 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m 
- `services.postgresql.extraPlugins` changed its type from just a list of packages to also a function that returns such a list.

  For example a config line like ``services.postgresql.extraPlugins = with pkgs.postgresql_11.pkgs; [ postgis ];`` is recommended to be changed to ``services.postgresql.extraPlugins = ps: with ps; [ postgis ];``;



- `services.openssh` now has an option `authorizedKeysInHomedir`, controlling whether `~/.ssh/authorizedKeys` is

  added to `authorizedKeysFiles`.

  ::: {.note}

  This option currently defaults to `true` for NixOS 24.05, preserving the previous behaviour.

  This is expected to change in NixOS 24.11.

  :::

  ::: {.warning}

  Users should check that their SSH keys are in `users.users.*.openssh`, or that they have another way to access

  and administer the system, before setting this option to `false`.

  :::



- [`matrix-synapse`](https://element-hq.github.io/synapse/) homeserver module now supports configuring UNIX domain socket [`listeners`](#opt-services.matrix-synapse.settings.listeners) through the `path` option.

  The default replication worker on the main instance has been migrated away from TCP sockets to UNIX domain sockets.

nixos/modules/services/networking/ssh/sshd.nix

+12 −1
Original line number Diff line number Diff line
@@ -296,6 +296,17 @@ in 
        '';

      };



      authorizedKeysInHomedir = mkOption {

        type = types.bool;

        default = true;

        description = ''

          Enables the use of the `~/.ssh/authorized_keys` file.



          Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`,

          *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys).

        '';

      };



      authorizedKeysCommand = mkOption {

        type = types.str;

        default = "none";
@@ -635,7 +646,7 @@ in 
    # https://github.com/NixOS/nixpkgs/pull/10155

    # https://github.com/NixOS/nixpkgs/pull/41745

    services.openssh.authorizedKeysFiles =

      [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];

      lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ];



    services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";