diff options
author | Aaron Andersen <aaron@fosslib.net> | 2020-03-12 10:58:50 -0400 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2020-03-12 21:00:12 -0400 |
commit | dbe59eca8402523b82d406a63eccb62d82d964ae (patch) | |
tree | cd5f429fc4231d01d05cbedf5c6b0111bc6aca66 /nixos/modules/services/networking/ssh | |
parent | 6d14bac04845951be7d7231cd33edd8d47545635 (diff) | |
download | nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.gz nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.bz2 nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.lz nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.xz nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.zst nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.zip |
nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options
Diffstat (limited to 'nixos/modules/services/networking/ssh')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index b0e2e303cbc..2069ec178aa 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -238,6 +238,26 @@ in description = "Files from which authorized keys are read."; }; + authorizedKeysCommand = mkOption { + type = types.str; + default = "none"; + description = '' + Specifies a program to be used to look up the user's public + keys. The program must be owned by root, not writable by group + or others and specified by an absolute path. + ''; + }; + + authorizedKeysCommandUser = mkOption { + type = types.str; + default = "nobody"; + description = '' + Specifies the user under whose account the AuthorizedKeysCommand + is run. It is recommended to use a dedicated user that has no + other role on the host than running authorized keys commands. + ''; + }; + kexAlgorithms = mkOption { type = types.listOf types.str; default = [ @@ -485,6 +505,8 @@ in PrintMotd no # handled by pam_motd AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} + AuthorizedKeysCommand ${cfg.authorizedKeysCommand} + AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} |