diff options
author | Thomas Gerbet <thomas@gerbet.me> | 2024-04-09 00:29:07 +0200 |
---|---|---|
committer | tomf <tom@tom-fitzhenry.me.uk> | 2024-06-05 19:45:31 +1000 |
commit | ef6fea2d8617258bff16f5ea8a6db858870ecb29 (patch) | |
tree | 0fa2802cedf8bec6bd250ca5ea4890151eb30e46 /nixos/modules | |
parent | 282884daeac549be6e808f0d616d84f712b292d5 (diff) |
openssh: move Kerberos support into a dedicated package
The `openssh` and `openssh_hpn` packages are now built without the Kerberos support by default in an effort to reduce the attack surface. The Kerberos support is likely used only by a fraction of the total users (I'm guessing mainly users integrating SSH in an Active Directory env) so dropping it should not impact too many users. It should also be noted that the Kerberos/GSSAPI auth is disabled by default in the configuration. `opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order to provide an easy migration path for users needing this support. The `openssh_gssapi` package is kept untouched.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index f69a35f0ffedc..1e4e34a4f1675 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -715,6 +715,10 @@ in assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";} + { assertion = (builtins.match "(.*\n)?(\t )*[Kk][Ee][Rr][Bb][Ee][Rr][Oo][Ss][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}") != null -> cfgc.package.withKerberos; + message = "cannot enable Kerberos authentication without using a package with Kerberos support";} + { assertion = (builtins.match "(.*\n)?(\t )*[Gg][Ss][Ss][Aa][Pp][Ii][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}") != null -> cfgc.package.withKerberos; + message = "cannot enable GSSAPI authentication without using a package with Kerberos support";} (let duplicates = # Filter out the groups with more than 1 element |