I just had a look at the user.name.openssh.authorizedKeys.keys option: - That you can choose adding a section /overriding everything is great
problems: - it doesn't get run in the activation phase (?) - Thus you have to restart sshd (which is non obvious without reading code) How to fix? Add it to the activation phase & ensure its run after the code creating the users .. Thus which is the way to go? add postUserSetup script like options? - if you want to control that file entirely - should the script be run by a cron-job every X hours - and should be there a way to report violations? I mean you don't want to ssh every 3 days to make sure that all authorized_keys files contain what you think they contain. That's only one use case. Checking ports, permissions on files (eg home directories) and much more should be checked regularly if you want feel save. Does this make sense? Has anybody else thought about how this should be implemented? I mean nobody wants to get hacked - but if you do - you should know about it. That's why I think about how to detect that case as well. It will be very hard (if not impossible) to make sure that nixos is total secure. I feel nobody can pay full penetration testing after each small update - which is why I think about finding alternatives. I'm aware that chowning large email directories could have impacts on performance which makes me think that what I'm looking for is not feasible? Marc Weber _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev