From a5872edf2f61d97a4ada2734d543eaaefe25c916 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 3 Sep 2020 05:00:53 +0200 Subject: [PATCH 1/3] nixos/installer: enable sshd by default Right now the UX for installing NixOS on a headless system is very bad. To enable sshd without physical steps users have to have either physical access or need to be very knowledge-able to figure out how to modify the installation image by hand to put an `sshd.service` symlink in the right directory in /nix/store. This is in particular a problem on ARM SBCs (single board computer) but also other hardware where network is the only meaningful way to access the hardware. This commit enables sshd by default. This does not give anyone access to the NixOS installer since by default. There is no user with a non-empty password or key. It makes it easy however to add ssh keys to the installation image (usb stick, sd-card on arm boards) by simply mounting it and adding a keys to `/root/.ssh/authorized_keys`. Importantly this should not require nix/nixos on the machine that prepare the installation device and even feasiable on non-linux systems by using ext4 third party drivers. Potential new threats: Since this enables sshd by default a potential bug in openssh could lead to remote code execution. Openssh has a very good track-record over the last 20 years, which makes it far more likely that Linux itself would have a remote code execution vulnerability. It is trusted by millions of servers on many operating systems to be exposed to the internet by default. Co-authored-by: Samuel Dionne-Riel --- nixos/doc/manual/installation/installing.xml | 10 +++++++--- nixos/doc/manual/release-notes/rl-2009.xml | 4 ++++ nixos/modules/profiles/installation-device.nix | 15 ++++++++------- 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index c7ed3b3c0c9..a9f60df9248 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -70,9 +70,13 @@ If you would like to continue the installation from a different machine you - need to activate the SSH daemon via systemctl start - sshd. You then must set a password for either root or - nixos with passwd to be able to login. + can use activated SSH daemon. You need to copy your ssh key to either + /home/nixos/.ssh/authorized_keys or + /root/.ssh/authorized_keys (Tip: For installers with a + modifyable filesystem such as the sd-card installer image a key can be be manual + placed by mounting the image on a different machine). Alternatively you must set + a password for either root or nixos with + passwd to be able to login. diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index ce78bda8505..ddbd38fac01 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -864,6 +864,10 @@ CREATE ROLE postgres LOGIN SUPERUSER; Default algorithm for ZRAM swap was changed to zstd. + + The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer. + To login through ssh, either a password or an ssh key must be set for the root user or the nixos user. + The scripted networking system now uses .link files in diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index d05c0c50e82..e68ea1b0877 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -51,22 +51,23 @@ with lib; services.mingetty.helpLine = '' The "nixos" and "root" accounts have empty passwords. - Type `sudo systemctl start sshd` to start the SSH daemon. - You then must set a password for either "root" or "nixos" - with `passwd` to be able to login. + An ssh daemon is running. You then must set a password + for either "root" or "nixos" with `passwd` or add an ssh key + to /home/nixos/.ssh/authorized_keys be able to login. '' + optionalString config.services.xserver.enable '' Type `sudo systemctl start display-manager' to start the graphical user interface. ''; - # Allow sshd to be started manually through "systemctl start sshd". + # We run sshd by default. Login via root is only possible after adding a + # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys. + # The latter one is particular useful if keys are manually added to + # installation device for head-less systems i.e. arm boards by manually + # mounting the storage in a different system. services.openssh = { enable = true; - # Allow password login to the installation, if the user sets a password via "passwd" - # It is safe as root doesn't have a password by default and SSH is disabled by default permitRootLogin = "yes"; }; - systemd.services.sshd.wantedBy = mkOverride 50 []; # Enable wpa_supplicant, but don't start it by default. networking.wireless.enable = mkDefault true; From 60d30e13f7fef6faec53a411340f0f151b32a2e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 6 Sep 2020 19:44:30 +0100 Subject: [PATCH 2/3] Update nixos/doc/manual/installation/installing.xml Co-authored-by: Samuel Dionne-Riel --- nixos/doc/manual/installation/installing.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index a9f60df9248..e14b6fd07c7 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -73,7 +73,7 @@ can use activated SSH daemon. You need to copy your ssh key to either /home/nixos/.ssh/authorized_keys or /root/.ssh/authorized_keys (Tip: For installers with a - modifyable filesystem such as the sd-card installer image a key can be be manual + modifiable filesystem such as the sd-card installer image a key can be be manually placed by mounting the image on a different machine). Alternatively you must set a password for either root or nixos with passwd to be able to login. From 0e7f6a884b939823471cde875cf258a2aa2b3535 Mon Sep 17 00:00:00 2001 From: WORLDofPEACE Date: Tue, 8 Sep 2020 19:24:51 -0400 Subject: [PATCH 3/3] Update nixos/doc/manual/installation/installing.xml Co-authored-by: Jon --- nixos/doc/manual/installation/installing.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/doc/manual/installation/installing.xml b/nixos/doc/manual/installation/installing.xml index e14b6fd07c7..6df1d830348 100644 --- a/nixos/doc/manual/installation/installing.xml +++ b/nixos/doc/manual/installation/installing.xml @@ -73,7 +73,7 @@ can use activated SSH daemon. You need to copy your ssh key to either /home/nixos/.ssh/authorized_keys or /root/.ssh/authorized_keys (Tip: For installers with a - modifiable filesystem such as the sd-card installer image a key can be be manually + modifiable filesystem such as the sd-card installer image a key can be manually placed by mounting the image on a different machine). Alternatively you must set a password for either root or nixos with passwd to be able to login.