nixos/pam: Secure default for sshAgentAuth.authorizedKeysFiles

Closes NixOS#31611
nbraud · Jan 1, 2024 · e30b76b · e30b76b
1 parent 5f854e2
commit e30b76b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -43,6 +43,11 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
 
+- The `pam_ssh_agent_auth(8)` module now trusts files listed in `security.pam.sshAgentAuth.authorizedKeysFiles`,
+  defaulting to `/etc/ssh/authorized_keys.d/%u` only; previously, the set of trusted `authorized_keys` files wasn't
+  configurable and included `~/.ssh/authorized_keys` **which is insecure**:
+  see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
+
 - The `power.ups` module now generates `upsd.conf`, `upsd.users` and `upsmon.conf` automatically from a set of new configuration options. This breaks compatibility with existing `power.ups` setups where these files were created manually. Back up these files before upgrading NixOS.
 
 - `k9s` was updated to v0.30. There have been various breaking changes in the config file format,
@@ -132,10 +137,6 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
 
 - The source of the `mockgen` package has changed to the [go.uber.org/mock](https://github.com/uber-go/mock) fork because [the original repository is no longer maintained](https://github.com/golang/mock#gomock).
 
-- `security.pam.enableSSHAgentAuth` was renamed to `security.pam.sshAgentAuth.enable` and an `authorizedKeysFiles`
-  option was added, to control which `authorized_keys` files are trusted.  It defaults to the previous behaviour,
-  **which is insecure**: see [#31611](https://github.com/NixOS/nixpkgs/issues/31611).
-
 - [](#opt-boot.kernel.sysctl._net.core.wmem_max_) changed from a string to an integer because of the addition of a custom merge option (taking the highest value defined to avoid conflicts between 2 services trying to set that value), just as [](#opt-boot.kernel.sysctl._net.core.rmem_max_) since 22.11.
 
 - `services.zfs.zed.enableMail` now uses the global `sendmail` wrapper defined by an email module

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
@@ -1050,9 +1050,7 @@ in
           See [issue #31611](https://github.com/NixOS/nixpkgs/issues/31611)
           :::
         '';
-        example = [ "/etc/ssh/authorized_keys.d/%u" ];
-        default = config.services.openssh.authorizedKeysFiles;
-        defaultText = literalExpression "config.services.openssh.authorizedKeysFiles";
+        default = [ "/etc/ssh/authorized_keys.d/%u" ];
       };
     };