If you are paranoid enough to think about this (and you should be), you should be protecting your ssh keys with passphrases in any case. Most developer-targeting malware goes and copies the contents of ~/.ssh
as the first step, immediately followed by ~/.netrc
. Even if you didn’t have specific security implications around leaking your keys, leaking your keys at all is already quite catastrophic.
Such malware is known to have been distributed via Minecraft mods, gnome themes, vscode plugins, java libraries, python libraries, npm projects, crypto wallets and pretty much everything else under the sun, often crafted to look very official. The package manager ones are particularly insidious, usually being typo squatters, and hooking into the install scripts, just fat-fingering one letter once when running pip install
is enough to bust your unprotected keys. The package hosts usually don’t have sufficient manpower or incentive to check all the incoming packages for this type of thing, and most of them allow arbitrary code execution on installation, so it’s a bit of a wild west.
Keys should never be unprotected at rest.
Let the ssh agent cache your passphrase if typing passwords frequently is too much of a bother, and use diceware and password managers if memorability is an issue. And/or use hardware tokens, 6-digit pins with brute force protection are really convenient, and it means your keys cannot be exposed via software alone (and are hard to expose even if someone gets ahold of your hardware token).
That’s not the issue this thread is discussing; is sudo
on the remote actually required for this? You’ll need it locally for the local deployment, but the remote builds should be possible without a privileged user?
You can! Looks like the NixOS module doesn’t have an option for this by default, it just reuses services.openssh.authorizedKeysFiles
: nixpkgs/nixos/modules/security/pam.nix at 261abe8a44a7e8392598d038d2e01f7b33cf26d0 · NixOS/nixpkgs · GitHub
You could make your own pam config line that does the same thing, but only permits keys from a specific list. Would be nice to have an option for that upstream, too.