deploy-rs icon indicating copy to clipboard operation
deploy-rs copied to clipboard
verified publisher icon serokell

is `Interactive sudo is enabled! Using a sudo password is less secure than correctly configured SSH keys.` warranted in my case ?

Open teto opened this issue 1 year ago • 5 comments

So when I use deploy-rs, I get the following warning:

🚀 ℹ️ [deploy] [INFO] Evaluating flake in .
🚀 ⚠️ [deploy] [WARN] Interactive sudo is enabled! Using a sudo password is less secure than correctly configured SSH keys.
Please use keys in production environments.
🚀 ℹ️ [deploy] [INFO] You will now be prompted for the sudo password for redacted.com.

I do use ssh keys to authenticate to the server with a plain user. I have root ssh access disabled for security reasons. And I dont want my plain user to run passwordless sudo commands so I need the password to run the nixos-rebuild switch. I feel the warning is targeted at users using password-based ssh ? which is not my case but I still get the warning. Also the password is asked right at the start of deploy-rs, I would prefer for it to be asked last second, right before doing the switch to avoid the process holding onto it.

teto avatar Nov 09 '24 14:11 teto

Ya I think sudo password, ssh key passphrase and ssh password authentication are different things. I don't know why I use ssh key with passphrase and sudo password with normal user, still get this warning message.

amalgame21 avatar Nov 13 '24 13:11 amalgame21

I wrote this feature and we included this warning because there are technically ‘safer’ ways to escalate privileges to root from a non-root user after ssh, regardless of password auth for root ssh. Personally, I agree it’s overkill and is fine in most scenarios (hence, the feature exists...). But from memory, I think this warning exists because… well, just assume a naive user who probably doesn’t understand the implications of leaving password-based authentication and sudo on a production host.

Consider this which I use to manage a fleet of devices:

  • deploy-rs is configured to ssh to host as a normal user (lets call them deploy)
  • Forward my SSH agent to the host
  • PAM configured on the host to allow SSH agent authentication for sudo
  • sudo configured to only allow the required programs for deployment to be ran with sudo for the deploy user (something like activate-rs, rm, and nix)

With this method, your SSH client controls keys (which can [or should] be password-protected) that are used to raise privileges.

n-hass avatar Feb 20 '25 03:02 n-hass

Thanks for sharing your thoughts, @n-hass. This was helpful to better understand this warning.

sudo configured to only allow the required programs for deployment to be ran with sudo for the deploy user (something like activate-rs, rm, and nix)

Could you share how you deal with configuring sudo, specifically how you recommend dealing with specifying the absolute path for activate-rs? Logs show that deploy-rs is calling /nix/store/bba0[…]a-activatable-nixos-system-25.05.20250724.3ff0e34/activate-rs which is not conveniently predictable. Are you using a wildcard like /nix/store/*-activatable-nixos-system-*/activate-rs?

Separately, I think this warning could be improved by clarifying that "correctly configured SSH keys" refers to using SSH keys for sudo authentication, and/or pointing users to examples of properly configured setups.

The current phrasing is probably commonly interpreted as a suggestion to disable sudo authentication altogether (and using password/passphrase protected SSH keys authentication when remotely connecting over SSH), because that's the tradeoff that most folks are familiar with, which sounds counter to common security practices. This was, at least, my interpretation until I learned about SSH agent authentication for sudo from this thread.

0xcharly avatar Aug 12 '25 12:08 0xcharly

For anyone looking for making sudo work with SSH key, here's my nix configuration (this is on a remote machine)

  users.users.deploy = {
    isNormalUser = true;
    description = "System deploy user";
    uid = 2000;
    extraGroups = [
      "wheel"
      "sudo"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3....."
    ];
  };

  services.openssh.settings.AllowUsers = ["deploy"];

  # Enable 'sudo' with SSH key
  security.pam.sshAgentAuth = {
    enable = true;
  };

  nix.settings.trusted-users = ["deploy"];

This is without any limitation on what deploy can run.

Corresponding deploy-rs host definition 
      vps = {
        hostname = "vps";
        sshUser = "deploy";
        sshOpts = ["-i" "/home/user/.ssh/id_ed25519.pub"];
        interactiveSudo = false;
        autoRollback = true;
        remoteBuild = false;
        activationTimeout = 600;
        profiles.system = {
          user = "root";
          path =
            deploy-rs.lib.x86_64-linux.activate.nixos
            self.nixosConfigurations.door;
        };
      };

alberand avatar Aug 12 '25 13:08 alberand

Thanks for sharing your config, @alberand.

For those who want to restrict the commands that the deploy user can run via sudo, the following config seems to work with deploy-rs:

security.sudo.extraRules = [
  {
    users = ["deploy"];
    commands = [
      { command = "/nix/store/*-activatable-nixos-system-*/activate-rs"; }
      { command = "/run/current-system/sw/bin/rm /tmp/deploy-rs-canary-*"; }
    ];
  }
];

NOPASSWD is not required when PAM SSH Agent authentication is correctly setup. Instead, PAM authenticates you by matching the keys known to your SSH agent against the user's authorized keys.

0xcharly avatar Aug 12 '25 14:08 0xcharly