nixos/installer: enable sshd by default

Right now the UX for installing NixOS on a headless system is very bad. To enable sshd without physical steps users have to have either physical access or need to be very knowledge-able to figure out how to modify the installation image by hand to put an `sshd.service` symlink in the right directory in /nix/store. This is in particular a problem on ARM SBCs (single board computer) but also other hardware where network is the only meaningful way to access the hardware. This commit enables sshd by default. This does not give anyone access to the NixOS installer since by default. There is no user with a non-empty password or key. It makes it easy however to add ssh keys to the installation image (usb stick, sd-card on arm boards) by simply mounting it and adding a keys to `/root/.ssh/authorized_keys`. Importantly this should not require nix/nixos on the machine that prepare the installation device and even feasiable on non-linux systems by using ext4 third party drivers. Potential new threats: Since this enables sshd by default a potential bug in openssh could lead to remote code execution. Openssh has a very good track-record over the last 20 years, which makes it far more likely that Linux itself would have a remote code execution vulnerability. It is trusted by millions of servers on many operating systems to be exposed to the internet by default. Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
2020-09-03 05:00:53 +02:00 · 2020-09-03 05:00:53 +02:00 · a5872edf2f
parent 24e513bcf0
commit a5872edf2f
3 changed files with 19 additions and 10 deletions
--- a/nixos/doc/manual/installation/installing.xml
+++ b/nixos/doc/manual/installation/installing.xml
@ -70,9 +70,13 @@

   <para>
    If you would like to continue the installation from a different machine you
-    need to activate the SSH daemon via <command>systemctl start
-    sshd</command>. You then must set a password for either <literal>root</literal> or
-    <literal>nixos</literal> with <command>passwd</command> to be able to login.
+    can use activated SSH daemon. You need to copy your ssh key to either
+    <literal>/home/nixos/.ssh/authorized_keys</literal> or
+    <literal>/root/.ssh/authorized_keys</literal> (Tip: For installers with a
+    modifyable filesystem such as the sd-card installer image a key can be be manual
+    placed by mounting the image on a different machine). Alternatively you must set
+    a password for either <literal>root</literal> or <literal>nixos</literal> with
+    <command>passwd</command> to be able to login.
   </para>
  </section>
 </section>
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -864,6 +864,10 @@ CREATE ROLE postgres LOGIN SUPERUSER;
     Default algorithm for ZRAM swap was changed to <literal>zstd</literal>.
   </para>
   </listitem>
+   <listitem>
+    The installer now enables sshd by default. This improves installation on headless machines especially ARM single-board-computer.
+    To login through ssh, either a password or an ssh key must be set for the root user or the nixos user.
+   </listitem>
   <listitem>
    <para>
     The scripted networking system now uses <literal>.link</literal> files in
--- a/nixos/modules/profiles/installation-device.nix
+++ b/nixos/modules/profiles/installation-device.nix
@ -51,22 +51,23 @@ with lib;
    services.mingetty.helpLine = ''
      The "nixos" and "root" accounts have empty passwords.

-      Type `sudo systemctl start sshd` to start the SSH daemon.
-      You then must set a password for either "root" or "nixos"
-      with `passwd` to be able to login.
+      An ssh daemon is running. You then must set a password
+      for either "root" or "nixos" with `passwd` or add an ssh key
+      to /home/nixos/.ssh/authorized_keys be able to login.
    '' + optionalString config.services.xserver.enable ''
      Type `sudo systemctl start display-manager' to
      start the graphical user interface.
    '';

-    # Allow sshd to be started manually through "systemctl start sshd".
+    # We run sshd by default. Login via root is only possible after adding a
+    # password via "passwd" or by adding a ssh key to /home/nixos/.ssh/authorized_keys.
+    # The latter one is particular useful if keys are manually added to
+    # installation device for head-less systems i.e. arm boards by manually
+    # mounting the storage in a different system.
    services.openssh = {
      enable = true;
-      # Allow password login to the installation, if the user sets a password via "passwd"
-      # It is safe as root doesn't have a password by default and SSH is disabled by default
      permitRootLogin = "yes";
    };
-    systemd.services.sshd.wantedBy = mkOverride 50 [];

    # Enable wpa_supplicant, but don't start it by default.
    networking.wireless.enable = mkDefault true;