nixos-anywhere
nixos-anywhere copied to clipboard
Published
20 hours ago •
nix-community
nix-community
feat: Adding flag for using sudo instead of root user
trafficstars
The Problem
When installing NixOS to a remote server, one may use a minimal ISO, which disables root login for security reasons. In this case, nixos-anywhere will always fail, even when the remote sudo binary can be used.
Proposed Solution
Similar to how nix build does it, a --use-remote-sudo flag could be implemented.
Please provide
- the git revision of nixos-anywhere used
- the git revision of the nixos minimal iso used
- the full command executed (if running again please pass
--debug) - the full output with the error
Please provide
1. the git revision of nixos-anywhere used 2. the git revision of the nixos minimal iso used 3. the full command executed (if running again please pass `--debug`) 4. the full output with the error
- I used the newest release from nixos anywhere: https://github.com/nix-community/nixos-anywhere/releases/tag/1.6.0
- I used my own generated iso with ssh agent enabled.
nix run github:nix-community/nixos-anywhere -- --flake ".#node-01" --ssh-option "ForwardAgent=yes" --debug --phases kexec,disko -p "22" "[email protected]"
+ shift
+ [[ 7 -gt 0 ]]
+ case "$1" in
+ sshArgs+=("-o" "$2")
+ shift
+ shift
+ [[ 5 -gt 0 ]]
+ case "$1" in
+ phases[kexec]=0
+ phases[disko]=0
+ phases[install]=0
+ phases[reboot]=0
+ IFS=,
+ read -r -a phaseList
+ for phase in "${phaseList[@]}"
+ [[ 0 == unset ]]
+ phases[$phase]=1
+ for phase in "${phaseList[@]}"
+ [[ 0 == unset ]]
+ phases[$phase]=1
+ shift
+ shift
+ [[ 3 -gt 0 ]]
+ case "$1" in
+ sshArgs+=("-p" "$2")
+ shift
+ shift
+ [[ 1 -gt 0 ]]
+ case "$1" in
+ [[ -z '' ]]
+ [email protected]
+ shift
+ [[ 0 -gt 0 ]]
+ [[ y == \y ]]
+ nixOptions+=("-L")
+ [[ y == \y ]]
+ nixCopyOptions+=("--substitute-on-destination")
+ [[ n == \n ]]
+ [[ -z [email protected] ]]
+ [[ -n .#node-01 ]]
+ [[ .#node-01 =~ ^(.*)#([^#"]*)$ ]]
+ flake=.
+ flakeAttr=node-01
+ [[ -z node-01 ]]
+ [[ node-01 != nixosConfigurations.* ]]
+ flakeAttr='nixosConfigurations."node-01".config'
+ [[ n == y ]]
+ [[ -n . ]]
+ [[ n == \n ]]
+ [[ none == \n\o\n\e ]]
+ [[ 1 == 1 ]]
++ nixBuild '.#nixosConfigurations."node-01".config.system.build.diskoScript'
++ NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/tmp.RQPRoaxxE1/nixos-anywhere -o ForwardAgent=yes -p 22'
++ nix build --print-out-paths --no-link --extra-experimental-features 'nix-command flakes' --no-write-lock-file -L '.#nixosConfigurations."node-01".config.system.build.diskoScript'
warning: Git tree '/home/niklas/Desktop/homelab' is dirty
+ diskoScript=/nix/store/mx937cigvhc3frlkggzky3iqwv96gc1p-disko
++ nixBuild '.#nixosConfigurations."node-01".config.system.build.toplevel'
++ NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/tmp.RQPRoaxxE1/nixos-anywhere -o ForwardAgent=yes -p 22'
++ nix build --print-out-paths --no-link --extra-experimental-features 'nix-command flakes' --no-write-lock-file -L '.#nixosConfigurations."node-01".config.system.build.toplevel'
warning: Git tree '/home/niklas/Desktop/homelab' is dirty
+ nixosSystem=/nix/store/3xwqa9ldjzglffql4fg3vrs2x8lq6yah-nixos-system-node-01-24.11.20241222.1807c2b
+ [[ -n '' ]]
++ ssh -o ForwardAgent=yes -p 22 -G [email protected]
+ sshSettings='host 192.168.122.175
user nixos
hostname 192.168.122.175
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 no
forwardx11trusted no
gatewayports no
gssapiauthentication no
gssapidelegatecredentials no
hashknownhosts no
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication true
requesttty auto
sessiontype default
stdinnull no
forkafterauthentication no
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys true
enableescapecommandline no
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
requiredrsasize 1024
obscurekeystroketiming yes
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
hostbasedacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
kexalgorithms sntrup761x25519-sha512,[email protected],mlkem768x25519-sha256,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
securitykeyprovider internal
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/id_rsa
identityfile ~/.ssh/id_ecdsa
identityfile ~/.ssh/id_ecdsa_sk
identityfile ~/.ssh/id_ed25519
identityfile ~/.ssh/id_ed25519_sk
identityfile ~/.ssh/id_xmss
canonicaldomains none
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile /home/niklas/.ssh/known_hosts /home/niklas/.ssh/known_hosts2
logverbose none
channeltimeout none
permitremoteopen any
addkeystoagent false
forwardagent yes
connecttimeout none
tunneldevice any:any
canonicalizePermittedcnames none
controlpersist no
escapechar ~
ipqos af21 cs1
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER'
++ awk '/^user / { print $2 }'
++ echo 'host 192.168.122.175
user nixos
hostname 192.168.122.175
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 no
forwardx11trusted no
gatewayports no
gssapiauthentication no
gssapidelegatecredentials no
hashknownhosts no
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication true
requesttty auto
sessiontype default
stdinnull no
forkafterauthentication no
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys true
enableescapecommandline no
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
requiredrsasize 1024
obscurekeystroketiming yes
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
hostbasedacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
kexalgorithms sntrup761x25519-sha512,[email protected],mlkem768x25519-sha256,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
securitykeyprovider internal
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/id_rsa
identityfile ~/.ssh/id_ecdsa
identityfile ~/.ssh/id_ecdsa_sk
identityfile ~/.ssh/id_ed25519
identityfile ~/.ssh/id_ed25519_sk
identityfile ~/.ssh/id_xmss
canonicaldomains none
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile /home/niklas/.ssh/known_hosts /home/niklas/.ssh/known_hosts2
logverbose none
channeltimeout none
permitremoteopen any
addkeystoagent false
forwardagent yes
connecttimeout none
tunneldevice any:any
canonicalizePermittedcnames none
controlpersist no
escapechar ~
ipqos af21 cs1
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER'
+ sshUser=nixos
++ echo 'host 192.168.122.175
user nixos
hostname 192.168.122.175
port 22
addressfamily any
batchmode no
canonicalizefallbacklocal yes
canonicalizehostname false
checkhostip no
compression no
controlmaster false
enablesshkeysign no
clearallforwardings no
exitonforwardfailure no
fingerprinthash SHA256
forwardx11 no
forwardx11trusted no
gatewayports no
gssapiauthentication no
gssapidelegatecredentials no
hashknownhosts no
hostbasedauthentication no
identitiesonly no
kbdinteractiveauthentication yes
nohostauthenticationforlocalhost no
passwordauthentication yes
permitlocalcommand no
proxyusefdpass no
pubkeyauthentication true
requesttty auto
sessiontype default
stdinnull no
forkafterauthentication no
streamlocalbindunlink no
stricthostkeychecking ask
tcpkeepalive yes
tunnel false
verifyhostkeydns false
visualhostkey no
updatehostkeys true
enableescapecommandline no
canonicalizemaxdots 1
connectionattempts 1
forwardx11timeout 1200
numberofpasswordprompts 3
serveralivecountmax 3
serveraliveinterval 0
requiredrsasize 1024
obscurekeystroketiming yes
ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
hostkeyalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
++ awk '/^hostname / { print $2 }'
hostbasedacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
kexalgorithms sntrup761x25519-sha512,[email protected],mlkem768x25519-sha256,curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
casignaturealgorithms ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
loglevel INFO
macs [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
securitykeyprovider internal
pubkeyacceptedalgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],rsa-sha2-512,rsa-sha2-256
xauthlocation /usr/bin/xauth
identityfile ~/.ssh/id_rsa
identityfile ~/.ssh/id_ecdsa
identityfile ~/.ssh/id_ecdsa_sk
identityfile ~/.ssh/id_ed25519
identityfile ~/.ssh/id_ed25519_sk
identityfile ~/.ssh/id_xmss
canonicaldomains none
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2
userknownhostsfile /home/niklas/.ssh/known_hosts /home/niklas/.ssh/known_hosts2
logverbose none
channeltimeout none
permitremoteopen any
addkeystoagent false
forwardagent yes
connecttimeout none
tunneldevice any:any
canonicalizePermittedcnames none
controlpersist no
escapechar ~
ipqos af21 cs1
rekeylimit 0 0
streamlocalbindmask 0177
syslogfacility USER'
+ sshHost=192.168.122.175
+ uploadSshKey
+ mkdir -p /home/niklas/.ssh/
+ ssh-keygen -t ed25519 -f /tmp/tmp.RQPRoaxxE1/nixos-anywhere -P '' -C nixos-anywhere
+ declare -a sshCopyIdArgs
+ [[ -n '' ]]
+ step Uploading install SSH keys
+ echo '### Uploading install SSH keys ###'
+ [[ n == y ]]
+ ssh-copy-id -i /tmp/tmp.RQPRoaxxE1/nixos-anywhere.pub -o ConnectTimeout=10 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -p 22 [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/tmp/tmp.RQPRoaxxE1/nixos-anywhere.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Warning: Permanently added '192.168.122.175' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/niklas/.ssh/id_rsa':
+ importFacts
+ step Gathering machine facts
+ echo '### Gathering machine facts ###'
+ local facts filteredFacts
++ runSsh -o ConnectTimeout=10 enableDebug=-x sh --
++ ssh -t -i /tmp/tmp.RQPRoaxxE1/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -p 22 [email protected] -o ConnectTimeout=10 enableDebug=-x sh --
Pseudo-terminal will not be allocated because stdin is not a terminal.
Warning: Permanently added '192.168.122.175' (ED25519) to the list of known hosts.
++ test -f /etc/os-release
++ grep -Eq 'ID(_LIKE)?="?nixos"?' /etc/os-release
++ echo y
+ isNixos=y
+ cat
++ uname
++ uname -m
++ test -f /etc/is_kexec
++ echo n
++ '[' y = y ']'
++ grep -Eq 'VARIANT_ID="?installer"?' /etc/os-release
++ echo y
+++ has systemd-detect-virt
+++ command -v systemd-detect-virt
+++ echo y
++ '[' y = y ']'
++ systemd-detect-virt --container
+++ has ip
+++ command -v ip
+++ echo y
++ '[' y = n ']'
++ ip r g 1
++ echo n
++ has tar
++ command -v tar
++ echo y
++ has cpio
++ command -v cpio
++ echo y
++ has sudo
++ command -v sudo
++ echo y
++ has doas
++ command -v doas
++ echo n
++ has wget
++ command -v wget
++ echo n
++ has curl
++ command -v curl
++ echo y
++ has setsid
++ command -v setsid
++ echo y
++ command -v nixos-facter
++ echo y
+ facts='isOs=Linux
isArch=x86_64
isKexec=n
isNixos=y
isInstaller=y
isContainer=none
hasIpv6Only=n
hasTar=y
hasCpio=y
hasSudo=y
hasDoas=n
hasWget=n
hasCurl=y
hasSetsid=y
hasNixOSFacter=y'
++ echo 'isOs=Linux
isArch=x86_64
isKexec=n
isNixos=y
isInstaller=y
isContainer=none
hasIpv6Only=n
hasTar=y
hasCpio=y
hasSudo=y
hasDoas=n
hasWget=n
hasCurl=y
hasSetsid=y
hasNixOSFacter=y'
++ grep -E '^(has|is)[A-Za-z0-9_]+=\S+'
+ filteredFacts='isOs=Linux
isArch=x86_64
isKexec=n
isNixos=y
isInstaller=y
isContainer=none
hasIpv6Only=n
hasTar=y
hasCpio=y
hasSudo=y
hasDoas=n
hasWget=n
hasCurl=y
hasSetsid=y
hasNixOSFacter=y'
+ [[ -z isOs=Linux
isArch=x86_64
isKexec=n
isNixos=y
isInstaller=y
isContainer=none
hasIpv6Only=n
hasTar=y
hasCpio=y
hasSudo=y
hasDoas=n
hasWget=n
hasCurl=y
hasSetsid=y
hasNixOSFacter=y ]]
++ echo 'isOs=Linux
isArch=x86_64
isKexec=n
isNixos=y
isInstaller=y
isContainer=none
hasIpv6Only=n
hasTar=y
hasCpio=y
hasSudo=y
hasDoas=n
hasWget=n
hasCurl=y
hasSetsid=y
hasNixOSFacter=y'
++ xargs
+ export isOs=Linux isArch=x86_64 isKexec=n isNixos=y isInstaller=y isContainer=none hasIpv6Only=n hasTar=y hasCpio=y hasSudo=y hasDoas=n hasWget=n hasCurl=y hasSetsid=y hasNixOSFacter=y
+ isOs=Linux
+ isArch=x86_64
+ isKexec=n
+ isNixos=y
+ isInstaller=y
+ isContainer=none
+ hasIpv6Only=n
+ hasTar=y
+ hasCpio=y
+ hasSudo=y
+ hasDoas=n
+ hasWget=n
+ hasCurl=y
+ hasSetsid=y
+ hasNixOSFacter=y
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z Linux ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z x86_64 ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z n ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z y ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z none ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z n ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z y ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z y ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z y ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z n ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z n ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z y ]]
+ for var in isOs isArch isKexec isInstaller isContainer hasIpv6Only hasTar hasCpio hasSudo hasDoas hasWget hasCurl hasSetsid
+ [[ -z y ]]
+ [[ y == \n ]]
+ [[ y == \n ]]
+ [[ y == \n ]]
+ maybeSudo=
+ [[ y == \y ]]
+ maybeSudo=sudo
+ [[ Linux != \L\i\n\u\x ]]
+ [[ 1 == 1 ]]
+ runKexec
+ [[ n == \y ]]
+ [[ y == \y ]]
+ return
+ [[ none != \n\o\n\e ]]
+ [[ n == \n ]]
+ [[ -n . ]]
+ [[ none != \n\o\n\e ]]
+ [[ y == \y ]]
+ [[ nixos != \r\o\o\t ]]
+ runSsh 'sudo mkdir -p /root/.ssh; sudo cp ~/.ssh/authorized_keys /root/.ssh || true'
+ ssh -t -i /tmp/tmp.RQPRoaxxE1/nixos-anywhere -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes -p 22 [email protected] 'sudo mkdir -p /root/.ssh; sudo cp ~/.ssh/authorized_keys /root/.ssh || true'
Warning: Permanently added '192.168.122.175' (ED25519) to the list of known hosts.
Connection to 192.168.122.175 closed.
+ [email protected]
+ [[ 1 == 1 ]]
+ runDisko /nix/store/mx937cigvhc3frlkggzky3iqwv96gc1p-disko
+ local diskoScript=/nix/store/mx937cigvhc3frlkggzky3iqwv96gc1p-disko
+ [[ -n /nix/store/mx937cigvhc3frlkggzky3iqwv96gc1p-disko ]]
+ nixCopy --to ssh://[email protected] /nix/store/mx937cigvhc3frlkggzky3iqwv96gc1p-disko
+ NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/tmp.RQPRoaxxE1/nixos-anywhere -o ForwardAgent=yes -p 22'
+ nix copy --extra-experimental-features 'nix-command flakes' --no-write-lock-file -L --substitute-on-destination --to ssh://[email protected] /nix/store/mx937cigvhc3frlkggzky3iqwv96gc1p-disko
Warning: Permanently added '192.168.122.175' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey,keyboard-interactive).
error: failed to start SSH connection to '[email protected]'
+ rm -rf /tmp/tmp.RQPRoaxxE1
I wanna be able to disable the root login and use the ssh agent and yes this error makes sense that's why i did the feature request.
If this will be implemented, please consider allowing the use of doas as well as sudo 🙂
If this will be implemented, please consider allowing the use of
doasas well assudo🙂
I guess this would be faster if someone would do a pull request. Would you like to do it with me together?
I guess this https://github.com/nix-community/nixos-anywhere/pull/550 does not fix this issue but maybe makes it easier to implement the rest.
The Problem
When installing NixOS to a remote server, one may use a minimal ISO, which disables root login for security reasons. In this case, nixos-anywhere will always fail, even when the remote sudo binary can be used.
Does ssh not have a better security track record than sudo?
I tried to add this to nixos-anywhere, but especially nix interactions get really complicated. So I don't think I want this code in nixos-anywhere.
