Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/sshd: disable openFirewall by default #75454

Closed
wants to merge 0 commits into from
Closed

Conversation

@bb2020
Copy link
Contributor

@bb2020 bb2020 commented Dec 10, 2019

Motivation for this change

Opening SSH port on firewall by default is a security risk and it should be blocked.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
Notify maintainers

cc @

@bb2020 bb2020 force-pushed the bb2020:master branch from 9ac5d4f to 98412fa Dec 10, 2019
@bb2020 bb2020 changed the title nixos/openssh: disable openFirewall by default nixos/sshd: disable openFirewall by default Dec 10, 2019
@Mic92
Copy link
Contributor

@Mic92 Mic92 commented Dec 10, 2019

Previous discussions about this: #19504 (comment) #19504 (comment)

@emmanuelrosa
Copy link
Contributor

@emmanuelrosa emmanuelrosa commented Dec 10, 2019

I'm concerned about this because some NixOS systems may be unknowingly relying on the default setting (true) to open the SSH port on the firewall. Personally, I didn't even know this option existed.

What about removing the default setting altogether. Wouldn't that cause a build-time failure, forcing the system admin to explicitly set it to true or false?

In addition, given the change is not backwards compatible, I think it should be documented in the release notes.

@c0bw3b
Copy link
Contributor

@c0bw3b c0bw3b commented Dec 11, 2019

Consensus up to now was that sshd was the only exception allowed to open a firewall port automatically.
Without it, it would be too easy for a user to lock himself out of a machine. Especially on a server machine deployed "in the cloud" with no other access to it (no recovery console or remote management).

If we were to disable that, I'm sure we would receive another PR to re-enable it pretty quickly.

Instead, maybe there is some doc to enhance to emphasize that the first things a concerned admin should do after a NixOS install is to look at and review the sshd config.

@@ -160,7 +160,7 @@ in

openFirewall = mkOption {
type = types.bool;
default = true;
default = false;

This comment has been minimized.

@rycee

rycee Dec 19, 2019
Member

In this particular case I don't believe the default should change but if it changes anyway then it should be for stateVersion ≥ 20.03 only.

This comment has been minimized.

@bb2020

bb2020 Dec 20, 2019
Author Contributor

I've made the change anyway.

@bb2020 bb2020 force-pushed the bb2020:master branch from 98412fa to 51ae154 Dec 20, 2019
@Ma27
Copy link
Member

@Ma27 Ma27 commented Dec 21, 2019

👎 - As already stated we had these discussions in the past and we are (AFAIK) fine with having an open tcp/22 port for UX reasons.

I'm concerned about this because some NixOS systems may be unknowingly relying on the default setting (true) to open the SSH port on the firewall. Personally, I didn't even know this option existed.

Understandable. But I'd rather vote for adding either a warning (if only the default value is set) or to mention this in the manual at a more "prominent" position.

Without it, it would be too easy for a user to lock himself out of a machine. Especially on a server machine deployed "in the cloud" with no other access to it (no recovery console or remote management).

Full ack! I already found several corner cases that caused me to lock myself out of a remote NixOS. By disabling an open sshd by default we mainly add another possibility where users might lock themselves out their machines and a recovery from that is usually pretty painful.

What about removing the default setting altogether. Wouldn't that cause a build-time failure, forcing the system admin to explicitly set it to true or false?

In case there are more folks in favor of dropping that default, I'd be fine with this solution.

@aanderse
Copy link
Contributor

@aanderse aanderse commented Jan 11, 2020

As discussed a number of times in the past this is on purpose. Some suggestions about throwing a warning seem like a good idea. Maybe forcing users to choose a value for ssh only is an acceptable solution?

What do you think @edolstra?

@bb2020 bb2020 closed this Feb 26, 2020
@bb2020 bb2020 force-pushed the bb2020:master branch from 51ae154 to 5b4908c Feb 26, 2020
@bb2020 bb2020 mentioned this pull request Mar 2, 2020
0 of 10 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants
You can’t perform that action at this time.