fix for CVE-2024-6409

2024-07-09 09:48:03 +02:00 · 2024-07-09 09:48:03 +02:00 · aaa3078055
parent 5866e21d52
commit aaa3078055
1 changed files with 5 additions and 0 deletions
--- a/components/network/sshd/default.nix
+++ b/components/network/sshd/default.nix
@ -57,6 +57,11 @@ in
        enable = true;
        settings.X11Forwarding = false;
        settings.PasswordAuthentication = false;
+
+        # We might want to remove this once, openssh is fixed everywhere:
+        # Workaround for CVE-2024-6387 and CVE-2024-6409
+        # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
+        settings.LoginGraceTime = 0;
      };

      users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;