diff options
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 9 | ||||
| -rw-r--r-- | nixos/modules/security/google_oslogin.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/misc/sssd.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 22 |
4 files changed, 35 insertions, 8 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index e236b230332..72474e5dbd4 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -28,6 +28,15 @@ PHP now defaults to PHP 7.4, updated from 7.3. </para> </listitem> + <listitem> + <para> + Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> + and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have + been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal> + in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should + make use of these new options instead. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/security/google_oslogin.nix b/nixos/modules/security/google_oslogin.nix index 246419b681a..6f9962e1d62 100644 --- a/nixos/modules/security/google_oslogin.nix +++ b/nixos/modules/security/google_oslogin.nix @@ -59,10 +59,8 @@ in exec ${package}/bin/google_authorized_keys "$@" ''; }; - services.openssh.extraConfig = '' - AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u - AuthorizedKeysCommandUser nobody - ''; + services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u"; + services.openssh.authorizedKeysCommandUser = "nobody"; }; } diff --git a/nixos/modules/services/misc/sssd.nix b/nixos/modules/services/misc/sssd.nix index 6b64045dde8..36008d25741 100644 --- a/nixos/modules/services/misc/sssd.nix +++ b/nixos/modules/services/misc/sssd.nix @@ -88,9 +88,7 @@ in { exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@" ''; }; - services.openssh.extraConfig = '' - AuthorizedKeysCommand /etc/ssh/authorized_keys_command - AuthorizedKeysCommandUser nobody - ''; + services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; + services.openssh.authorizedKeysCommandUser = "nobody"; })]; } diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index b0e2e303cbc..2069ec178aa 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -238,6 +238,26 @@ in description = "Files from which authorized keys are read."; }; + authorizedKeysCommand = mkOption { + type = types.str; + default = "none"; + description = '' + Specifies a program to be used to look up the user's public + keys. The program must be owned by root, not writable by group + or others and specified by an absolute path. + ''; + }; + + authorizedKeysCommandUser = mkOption { + type = types.str; + default = "nobody"; + description = '' + Specifies the user under whose account the AuthorizedKeysCommand + is run. It is recommended to use a dedicated user that has no + other role on the host than running authorized keys commands. + ''; + }; + kexAlgorithms = mkOption { type = types.listOf types.str; default = [ @@ -485,6 +505,8 @@ in PrintMotd no # handled by pam_motd AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} + AuthorizedKeysCommand ${cfg.authorizedKeysCommand} + AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} |