From d46372d382290f60d7d0d7cae191b7eaeb32620a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= Date: Wed, 8 May 2024 22:29:37 +0200 Subject: [PATCH] base: disable authorized keys in ~/.ssh/authorized_keys --- flake.lock | 12 ++++++------ modules/defaults/base/sshd.nix | 3 +++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4901068..33c0721 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1714612856, - "narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=", + "lastModified": 1715070411, + "narHash": "sha256-5CNvkH0Nf7yMwgKhjUNg/lUK40C7DXB4zKOuA2jVO90=", "owner": "nix-community", "repo": "disko", - "rev": "d57058eb09dd5ec00c746df34fe0a603ea744370", + "rev": "4677f6c53482a8b01ee93957e3bdd569d51261d6", "type": "github" }, "original": { @@ -67,11 +67,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1714635257, - "narHash": "sha256-4cPymbty65RvF1DWQfc+Bc8B233A1BWxJnNULJKQ1EY=", + "lastModified": 1715087517, + "narHash": "sha256-CLU5Tsg24Ke4+7sH8azHWXKd0CFd4mhLWfhYgUiDBpQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "63c3a29ca82437c87573e4c6919b09a24ea61b0f", + "rev": "b211b392b8486ee79df6cdfb1157ad2133427a29", "type": "github" }, "original": { diff --git a/modules/defaults/base/sshd.nix b/modules/defaults/base/sshd.nix index 3389414..873d2c9 100644 --- a/modules/defaults/base/sshd.nix +++ b/modules/defaults/base/sshd.nix @@ -15,6 +15,9 @@ with lib; UsePAM = true; }; + # disable ~/.ssh/authorized_keys (default in 24.11) + authorizedKeysInHomedir = false; + # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/doc/user/gitlab_com/index.md#ssh-host-keys-fingerprints knownHosts."gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf"; # https://github.blog/2021-09-01-improving-git-protocol-security-github/#new-host-keys