-
-
Notifications
You must be signed in to change notification settings - Fork 12.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[24.11] nixos/ssh: disable authorizedKeysInHomedir
by default
#309025
base: staging
Are you sure you want to change the base?
[24.11] nixos/ssh: disable authorizedKeysInHomedir
by default
#309025
Conversation
a23ead8
to
e92eed3
Compare
i assume including #309368 is a mistake, but the sshd and release note diff LGTM! |
Oops, it was indeed unintended!
|
e92eed3
to
f152a17
Compare
f152a17
to
f94b85b
Compare
@mkg20001 I don't think this is mergeable yet, staging won't diverge from the current release until the 15th |
f94b85b
to
eaf9d6e
Compare
Rebased to address merge conflict, and add the release note in 24.11. This is now ready for review & merge. PS: Accidentally introduced some extra whitespace in the release note, now fixed. |
eaf9d6e
to
d0a2897
Compare
@ofborg test openssh |
I do not think that we can ever change this default without causing major breakages and potentially causing tremendous damage. Even if we announce this in all places, we probably do not reach enough people that absolutely need to know this and lock them out of there machines. There is also a scenario where people might need to physically remove the root disk from there server after this change, to allow logging back in:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just to block merges until further discussion has happened
If we wanted to go forward with this change, we could warn on the current default value for two releases (12 months), and then make the switch in 25.11. |
Since this was spun out in a separate PR, there's probably a lot of context which isn't obvious at first glance:
|
Or fix the issue preventing the default to depend on |
Split-off from #279894 to avoid a breaking change late in 24.05's release cycle.
Do not merge before
staging
stops being included in the release (not before 2024-05-15 AoE)Description of changes
services.openssh.authorizedKeysInHomedir
tofalse
By request of maintainer, and would prevent future issues similar to pam_ssh_agent_auth allowing users to define own ssh pubkey #31611
stateVersion
Causes an eval failure on @ofborg
The 24.11 release notes file doesn't exist yet.
Things done
openssh
Add a 👍 reaction to pull requests you find important.