diff options
| author | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2024-04-21 22:51:02 +1000 |
|---|---|---|
| committer | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2024-04-23 22:40:58 +1000 |
| commit | 2e51a2fd03972819ef4e3fb8001a7e286a2469bb (patch) | |
| tree | 9e95edaad787cb28b4a538b9833741807585d661 | |
| parent | 41911ed9d2ce9bc43fa32d796a62697bc62641b9 (diff) | |
nixos/ssh: allow UsePAM to be disabled
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 5 | ||||
| -rw-r--r-- | nixos/tests/openssh.nix | 28 |
2 files changed, 30 insertions, 3 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5f2f6cb07af7..90cdadf66a6d 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -346,6 +346,7 @@ in violates the privacy of users and is not recommended. ''; }; + UsePAM = mkEnableOption "PAM authentication" // { default = true; }; UseDns = mkOption { type = types.bool; # apply if cfg.useDns then "yes" else "no" @@ -622,7 +623,7 @@ in networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports; - security.pam.services.sshd = + security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { startSession = true; showMotd = true; unixAuth = cfg.settings.PasswordAuthentication; @@ -638,8 +639,6 @@ in services.openssh.extraConfig = mkOrder 0 '' - UsePAM yes - Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index f71b0a22fe63..a039986621ca 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -108,6 +108,23 @@ in { }; }; + server-no-pam = + { pkgs, ... }: + { + programs.ssh.package = pkgs.opensshPackages.openssh.override { + withPAM = false; + }; + services.openssh = { + enable = true; + settings = { + UsePAM = false; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + client = { ... }: { virtualisation.vlans = [ 1 2 ]; @@ -122,6 +139,7 @@ in { server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) + server_no_pam.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) @@ -211,5 +229,15 @@ in { "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true", timeout=30 ) + + with subtest("no-pam"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true", + timeout=30 + ) ''; }) |