diff options
author | Aaron Andersen <aaron@fosslib.net> | 2020-03-12 10:58:50 -0400 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2020-03-12 21:00:12 -0400 |
commit | dbe59eca8402523b82d406a63eccb62d82d964ae (patch) | |
tree | cd5f429fc4231d01d05cbedf5c6b0111bc6aca66 /nixos/modules/services | |
parent | 6d14bac04845951be7d7231cd33edd8d47545635 (diff) | |
download | nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.gz nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.bz2 nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.lz nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.xz nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.tar.zst nixpkgs-dbe59eca8402523b82d406a63eccb62d82d964ae.zip |
nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options
Diffstat (limited to 'nixos/modules/services')
-rw-r--r-- | nixos/modules/services/misc/sssd.nix | 6 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 22 |
2 files changed, 24 insertions, 4 deletions
diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 6b64045dde8..36008d25741 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -88,9 +88,7 @@ in { exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@" ''; }; - services.openssh.extraConfig = '' - AuthorizedKeysCommand /etc/ssh/authorized_keys_command - AuthorizedKeysCommandUser nobody - ''; + services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; + services.openssh.authorizedKeysCommandUser = "nobody"; })]; } diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index b0e2e303cbc..2069ec178aa 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -238,6 +238,26 @@ in description = "Files from which authorized keys are read."; }; + authorizedKeysCommand = mkOption { + type = types.str; + default = "none"; + description = '' + Specifies a program to be used to look up the user's public + keys. The program must be owned by root, not writable by group + or others and specified by an absolute path. + ''; + }; + + authorizedKeysCommandUser = mkOption { + type = types.str; + default = "nobody"; + description = '' + Specifies the user under whose account the AuthorizedKeysCommand + is run. It is recommended to use a dedicated user that has no + other role on the host than running authorized keys commands. + ''; + }; + kexAlgorithms = mkOption { type = types.listOf types.str; default = [ @@ -485,6 +505,8 @@ in PrintMotd no # handled by pam_motd AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} + AuthorizedKeysCommand ${cfg.authorizedKeysCommand} + AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} |