fix for CVE-2024-6409

This commit is contained in:
Ingolf Wagner 2024-07-09 09:48:03 +02:00
parent 5866e21d52
commit aaa3078055
No known key found for this signature in database
GPG key ID: 76BF5F1928B9618B

View file

@ -57,6 +57,11 @@ in
enable = true; enable = true;
settings.X11Forwarding = false; settings.X11Forwarding = false;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
# We might want to remove this once, openssh is fixed everywhere:
# Workaround for CVE-2024-6387 and CVE-2024-6409
# https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
settings.LoginGraceTime = 0;
}; };
users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles; users.users.root.openssh.authorizedKeys.keyFiles = cfg.rootKeyFiles ++ defaultRootKeyFiles;