This reverts commit a3331eb87b.
See https://github.com/NixOS/nixpkgs/issues/2559#issuecomment-47313334
for a description why this is not a good idea.
I guess it's better to implement a sane way to remove all files in
authorized_keys.d, especially because it is also backwards-compatible.
Reopens#2559.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
By enabling ‘services.openssh.startWhenNeeded’, sshd is started
on-demand by systemd using socket activation. This is particularly
useful if you have a zillion containers and don't want to have sshd
running permanently. Note that socket activation is not noticeable
slower, contrary to what the manpage for ‘sshd -i’ says, so we might
want to make this the default one day.
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
- Make dhcp work, use dhcpcd without udev in container
- Make login shell work, patch getty to not wait for /dev/tty0
- Make ssh work, sshd/pam do not start session
Sshd *must* use PAM because we depend on it for proper session
management. The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
That is, you can say
security.pam.services.sshd = { options... };
instead of
security.pam.services = [ { name = "sshd"; options... } ];
making it easier to override PAM settings from other modules.
