search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
18.38k stars 14.33k forks source link

enabling system.etc.overlay = true throws away everything in /etc like /etc/ssh/known_hosts and /etc/shadow. Locking you out #319524

Open arianvp opened 5 months ago

arianvp commented 5 months ago

Describe the bug

enabling system.etc.overlay = true throws away everything in /etc like /etc/ssh/known_hosts and /etc/shadow. Locking you out

Steps To Reproduce

Steps to reproduce the behavior:

  1. enable openssh
  2. enable system.etc.overlay.enable = true
  3. Try ssh'ing

get

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:GWwZuxyzWHnxc2N93I80rehKbpcYEd3zGn9PUZFwuyA.
Please contact your system administrator.
Add correct host key in /Users/arian/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/arian/.ssh/known_hosts:130
Host key for utm.local has changed and you have requested strict checking.
Host key verification failed.
  1. ignore the host key verification
  2. Notice that my password doesn't work anymore.

Expected behavior

Old content from /etc/ is migrated to /.rw-etc on switch

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.

Notify maintainers

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
output here

Add a :+1: reaction to issues you find important.

arianvp commented 5 months ago

I guess this is because we don't migrate the old /etc on switch. This is a nasty deficiency. IDK if we can fix it though

devurandom commented 2 days ago

I guess this is because we don't migrate the old /etc on switch. This is a nasty deficiency. IDK if we can fix it though

Can I take manual steps to workaround this? Is there a script that copies all relevant files somewhere, so they get included in the overlay?

I could workaround the loss of /etc/shadow by setting users.extraUsers.*.hashedPasswordFile (encrypted e.g. with https://github.com/Mic92/sops-nix) and that would generate a new shadow file that'll be included in the overlay, right?