Open timthelion opened 8 months ago
People might not necessarily have SSH keys enabled (especially so if you're trying to SSH into a minimal install ISO for NixOS) and...
This is trivial to change in configuration.nix
:
services.openssh = {
enable = true;
# require public key authentication for better security
settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false;
settings.PermitRootLogin = "no";
};
It's trivial to change so why not default to the secure version?
You'd have to ask the upstream maintainers: https://man.openbsd.org/sshd_config#PasswordAuthentication
This shouldn't happen.
PasswordAuthentication
to false would lead to confusion for end users who haven't even heard of key based authentication (let alone configured it).People losing access is a good point. Would it be possible to set a warning message if the flag is not explicitly set?
Would it be possible to set a warning message if the flag is not explicitly set?
Not with the current option definition, but you could set the option type to be nullOr bool
, allowing for a third "unset" state, that would result in a warning before defaulting to either true or false.
I agree with the points mentioned before though, this is not a sane default for most people. If you need this to be the default to meet some kind of regulation or specification (or for any other reason), I suggest you create an out-of-tree module that sets these stricter defaults, so people can import it.
changing the default is asking for problems (a resounding "no" as far as I am concerned). When I introduced the freeform "settings" in the ssh module, it was with the intention of providing a "hardened" ssh config/profile that people could enable. Stuff happens and I haven't had the chance to tackle that (also I am not an ssh expert) but that could be something to think of, and at minimum act as a reference. The hardened profile could be limted to an exemple in the nixos documentation as well.
The bug tracking a "hardened" ssh profile is #193407 .
Would it be safe to update some of these defaults on a system.stateVersion
change? Then it's only new installs and people who know what they're doing who would be getting the new default.
I noticed that the openssh setting
PasswordAuthentication
defaults totrue
on my system. I believe that the relevant line is here https://github.com/NixOS/nixpkgs/blob/f7f4ca1a9c40721968fa604ff9cfe130c9ae0a46/nixos/modules/services/networking/ssh/lshd.nix#L67 this should be false as setting this to true is insecure in most cases.