From 6891bb1c5930b1691dcd808d14d8b9404e480f7a Mon Sep 17 00:00:00 2001 From: Anmol Sethi Date: Sat, 1 Oct 2016 13:23:56 -0400 Subject: [PATCH] openssh: support prohibit-password for permitRootLogin See https://github.com/openssh/openssh-portable/commit/1dc8d93ce69d6565747eb44446ed117187621b26 I also made it the default. --- nixos/modules/services/networking/ssh/sshd.nix | 4 ++-- nixos/modules/virtualisation/amazon-image.nix | 2 +- nixos/modules/virtualisation/azure-common.nix | 2 +- nixos/modules/virtualisation/brightbox-image.nix | 2 +- nixos/modules/virtualisation/google-compute-image.nix | 2 +- nixos/modules/virtualisation/nova-image.nix | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 1d15a141972..915199c8e90 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -102,8 +102,8 @@ in }; permitRootLogin = mkOption { - default = "without-password"; - type = types.enum ["yes" "without-password" "forced-commands-only" "no"]; + default = "prohibit-password"; + type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"]; description = '' Whether the root user can login using ssh. ''; diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix index f9c3f2e53ad..17e69b311b4 100644 --- a/nixos/modules/virtualisation/amazon-image.nix +++ b/nixos/modules/virtualisation/amazon-image.nix @@ -138,7 +138,7 @@ let cfg = config.ec2; in # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; # Force getting the hostname from EC2. networking.hostName = mkDefault ""; diff --git a/nixos/modules/virtualisation/azure-common.nix b/nixos/modules/virtualisation/azure-common.nix index 70a3d752f6d..5cd2304a295 100644 --- a/nixos/modules/virtualisation/azure-common.nix +++ b/nixos/modules/virtualisation/azure-common.nix @@ -24,7 +24,7 @@ with lib; # Allow root logins only using the SSH key that the user specified # at instance creation time, ping client connections to avoid timeouts services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; services.openssh.extraConfig = '' ClientAliveInterval 180 ''; diff --git a/nixos/modules/virtualisation/brightbox-image.nix b/nixos/modules/virtualisation/brightbox-image.nix index e2905913b6c..7f45f0f34f7 100644 --- a/nixos/modules/virtualisation/brightbox-image.nix +++ b/nixos/modules/virtualisation/brightbox-image.nix @@ -103,7 +103,7 @@ in # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; # Force getting the hostname from Google Compute. networking.hostName = mkDefault ""; diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 489b612f167..90dbd3b6d63 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -111,7 +111,7 @@ in # Allow root logins only using the SSH key that the user specified # at instance creation time. services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; services.openssh.passwordAuthentication = mkDefault false; # Force getting the hostname from Google Compute. diff --git a/nixos/modules/virtualisation/nova-image.nix b/nixos/modules/virtualisation/nova-image.nix index 7971212b47c..e253c77ebb4 100644 --- a/nixos/modules/virtualisation/nova-image.nix +++ b/nixos/modules/virtualisation/nova-image.nix @@ -31,7 +31,7 @@ with lib; # Allow root logins services.openssh.enable = true; - services.openssh.permitRootLogin = "without-password"; + services.openssh.permitRootLogin = "prohibit-password"; # Put /tmp and /var on /ephemeral0, which has a lot more space. # Unfortunately we can't do this with the `fileSystems' option