From a5872edf2f61d97a4ada2734d543eaaefe25c916 Mon Sep 17 00:00:00 2001 From: Jörg Thalheim Date: Thu, 3 Sep 2020 05:00:53 +0200 Subject: nixos/installer: enable sshd by default Right now the UX for installing NixOS on a headless system is very bad. To enable sshd without physical steps users have to have either physical access or need to be very knowledge-able to figure out how to modify the installation image by hand to put an `sshd.service` symlink in the right directory in /nix/store. This is in particular a problem on ARM SBCs (single board computer) but also other hardware where network is the only meaningful way to access the hardware. This commit enables sshd by default. This does not give anyone access to the NixOS installer since by default. There is no user with a non-empty password or key. It makes it easy however to add ssh keys to the installation image (usb stick, sd-card on arm boards) by simply mounting it and adding a keys to `/root/.ssh/authorized_keys`. Importantly this should not require nix/nixos on the machine that prepare the installation device and even feasiable on non-linux systems by using ext4 third party drivers. Potential new threats: Since this enables sshd by default a potential bug in openssh could lead to remote code execution. Openssh has a very good track-record over the last 20 years, which makes it far more likely that Linux itself would have a remote code execution vulnerability. It is trusted by millions of servers on many operating systems to be exposed to the internet by default. Co-authored-by: Samuel Dionne-Riel --- nixos/modules/profiles/installation-device.nix | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'nixos/modules') diff --git a/nixos/modules/profiles/installation-device.nix b/nixos/modules/profiles/installation-device.nix index d05c0c50e82c..e68ea1b08776 100644 --- a/nixos/modules/profiles/installation-device.nix +++ b/nixos/modules/profiles/installation-device.nix @@ -51,22 +51,23 @@ with lib; services.mingetty.helpLine = '' The "nixos" and "root" accounts have empty passwords. - Type `sudo systemctl start sshd` to start the SSH daemon. - You then must set a password for either "root" or "nixos" - with `passwd` to be able to login. + An ssh daemon is running. You then must set a password + for either "root" or "nixos" with `passwd` or add an ssh key + to /home/nixos/.ssh/authorized_keys be able to login. '' + optionalString config.services.xserver.enable '' Type `sudo systemctl start display-manager' to start the graphical user interface. ''; - # Allow sshd to be started manually through "systemctl start sshd". + # We run sshd by default. Login via root is only possible after adding a + # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys. + # The latter one is particular useful if keys are manually added to + # installation device for head-less systems i.e. arm boards by manually + # mounting the storage in a different system. services.openssh = { enable = true; - # Allow password login to the installation, if the user sets a password via "passwd" - # It is safe as root doesn't have a password by default and SSH is disabled by default permitRootLogin = "yes"; }; - systemd.services.sshd.wantedBy = mkOverride 50 []; # Enable wpa_supplicant, but don't start it by default. networking.wireless.enable = mkDefault true; -- cgit 1.4.1