[Nix-dev] openssh and passwordAuthentication
Marc Weber
marco-oweber at gmx.de
Fri Aug 10 13:26:01 CEST 2012
If you use ubuntu or the like setting passwordAuthentication no is
sshd_config is enough because its set before usePAM is set.
In NixOS the order is different which is why the description exists that
passwordAuthentication = no is likely to fail unless you also set usePAM
to no.
I like the ruby principle: principle of least surprise.
So I'd either ensure that the order is correct or that usePAM defaults
to no if you set passwordAuthentication to no.
Now ensuring order is hard because the user can set extraConfig, should
it be added first or last or should it depend on merge order done by the
nixos configuration system?
Thus forcing order explicitely this way would solve it:
sshd_config_text = ''
${nixos_config_by_options}
${etxraConfig}
'';
What do you think? Setting passwordAuthentication to no and passwords
are still accepted feels strange.
Thoughts?
Marc Weber
More information about the nix-dev
mailing list