Merge pull request #96991 from Mic92/sshd

2020-09-10 06:13:07 +02:00 · 2020-09-10 06:13:07 +02:00 · 940195c0e7
parent 5985b5c94c 0e7f6a884b
commit 940195c0e7
3 changed files with 19 additions and 10 deletions
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -70,9 +70,13 @@

   <para>
    If you would like to continue the installation from a different machine you
-    need to activate the SSH daemon via <command>systemctl start
-    sshd</command>. You then must set a password for either <literal>root</literal> or
-    <literal>nixos</literal> with <command>passwd</command> to be able to login.
+    can use activated SSH daemon. You need to copy your ssh key to either
+    <literal>/home/nixos/.ssh/authorized_keys</literal> or
+    <literal>/root/.ssh/authorized_keys</literal> (Tip: For installers with a
+    modifiable filesystem such as the sd-card installer image a key can be manually
+    placed by mounting the image on a different machine). Alternatively you must set
+    a password for either <literal>root</literal> or <literal>nixos</literal> with
+    <command>passwd</command> to be able to login.
   </para>
  </section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -901,6 +901,10 @@ CREATE ROLE postgres LOGIN SUPERUSER;
     Default algorithm for ZRAM swap was changed to <literal>zstd</literal>.
   </para>
   </listitem>
+   <listitem>
+    The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer.
+    To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
+   </listitem>
   <listitem>
    <para>
     The scripted networking system now uses <literal>.link</literal> files in
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -51,22 +51,23 @@ with lib;
    services.mingetty.helpLine = ''
      The "nixos" and "root" accounts have empty passwords.

-      Type `sudo systemctl start sshd` to start the SSH daemon.
-      You then must set a password for either "root" or "nixos"
-      with `passwd` to be able to login.
+      An ssh daemon is running. You then must set a password
+      for either "root" or "nixos" with `passwd` or add an ssh key
+      to /home/nixos/.ssh/authorized_keys be able to login.
    '' + optionalString config.services.xserver.enable ''
      Type `sudo systemctl start display-manager' to
      start the graphical user interface.
    '';

-    # Allow sshd to be started manually through "systemctl start sshd".
+    # We run sshd by default. Login via root is only possible after adding a
+    # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys.
+    # The latter one is particular useful if keys are manually added to
+    # installation device for head-less systems i.e. arm boards by manually
+    # mounting the storage in a different system.
    services.openssh = {
      enable = true;
-      # Allow password login to the installation, if the user sets a password via "passwd"
-      # It is safe as root doesn't have a password by default and SSH is disabled by default
      permitRootLogin = "yes";
    };
-    systemd.services.sshd.wantedBy = mkOverride 50 [];

    # Enable wpa_supplicant, but don't start it by default.
    networking.wireless.enable = mkDefault true;