nixos-anywhere
nixos-anywhere copied to clipboard
nix-community
Cannot run with password-protected sudo
Describe the bug
When attempting to provision (or in my case re-provision) a host that has password-protected sudo, nixos-anywhere fails completely.
### Switching system into kexec ###
Pseudo-terminal will not be allocated because stdin is not a terminal.
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
To Reproduce
Steps to reproduce the behavior:
- Enable password on the account being connected to
- Configure sudo to require password for actions
- Run nixos-anywhere
Expected behavior
I expect to be prompted for a password so I can continue.
System information
Additional context
I tried all the pseudo-tty options, but none of them solve for this. I think it's a fundamental issue with the way the commands are passed to _ssh through stdin.
This gets in the way of using this with Google Cloud, among many other hosts I'd imagine, as this is the default behaviour for sudo on Ubuntu, CentOS, and even NixOS itself.
among many other hosts I'd imagine, as this is the default behaviour for sudo on Ubuntu, CentOS, and even NixOS itself.
Not sure about google cloud, but this issue can often be circumvented by logging in as root.
And logging in as root will likely require changing sshd_config and restarting the service. Ideally nixos-anywhere would work with a regular user who may need to enter a password to sudo, as this would allow working with almost any system without changing configurations.
Yes, I do agree that we should probably support sudo with a password, PR would be welcome :)
I was just responding to a comment which claimed that this issue "gets in the way on many hosts" to highlight a work-around
Actually, it turned out that in my case I had to set wheelNeedsPassword = false;, which is not an option I'm thrilled having set on servers. The error came from after the reboot, I didn't notice this at first. nixos-anywhere actually will make the sshd_config changes and then switch to root for installing already.
To be fair, it does say so in the documentation quite clearly. E.g. in the Quickstart Guide:
A target machine, reachable via SSH, with your SSH public key deployed and and the privilege to either login directly as root or to use password-less sudo.
Making this more of a feature-request than a bug.
However, it's a deal-breaker for me, too. nixos-rebuild has an option --use-remote-sudo which doesn't work too well because of https://github.com/NixOS/nix/issues/4894 and the need to use NIX_SSHOPTS=-tt (or -t), but at least it's possible. It would also be nice to have it work with sudo-alternatives like doas.
One could restrict the commands allowed to be run with passwords sudo like shown here https://wiki.archlinux.org/title/Sudo
USER_NAME HOST_NAME= NOPASSWD: /usr/bin/halt,/usr/bin/poweroff,/usr/bin/reboot,/usr/bin/pacman -Syu
I would ask that this be reopened, then, as the issue hasn't been addressed and it's still valid.