jeaye
commented
8 years ago The reason it wasn't done was simply that nixos-in-place was originally built to brutally put NixOS "in place" and reboot; it was intended to make no assumptions about what you want for services, security, etc. I'm not saying this is ideal; it's just the original goal.
I'm mostly ok with this change, but I'm reminded of a snag with DigitalOcean. Since you can change the authorized_keys from the web console, DigitalOcean expects to be able to edit /root/.ssh and changes will only be reflected there. So, for DigitalOcean runs, I believe we should symbolically link .ssh and do no copying.
What was your initial motivation to not automatically enable openssh? Since it's so simple I'm sure you would have if you thought it was a good idea.
Basically these two changes make it so that whoever is root on the machine now is able to login to the machine when it's booted into nixos, no console needed.
I think this properly deals with a security risk because the default setting for root login is set to "without-password" leaving you with only key authentication.