ilyakooo0/nixpkgs
1
0
Fork 0
mirror of https://github.com/ilyakooo0/nixpkgs.git synced 2025-01-01 16:34:15 +03:00
Code Issues Projects Releases Wiki Activity

nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options

Browse Source
This commit is contained in:
Aaron Andersen 2020-03-12 10:58:50 -04:00
parent 6d14bac048
commit dbe59eca84
4 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/doc/manual/release-notes/rl-2009.xml
View File

@ -28,6 +28,15 @@
PHP now defaults to PHP 7.4, updated from 7.3. PHP now defaults to PHP 7.4, updated from 7.3.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
make use of these new options instead.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>

6
nixos/modules/security/google_oslogin.nix
View File

@ -59,10 +59,8 @@ in
exec ${package}/bin/google_authorized_keys "$@" exec ${package}/bin/google_authorized_keys "$@"
''; '';
}; };
services.openssh.extraConfig = '' services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u";
AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u services.openssh.authorizedKeysCommandUser = "nobody";
AuthorizedKeysCommandUser nobody
'';
}; };
} }

6
nixos/modules/services/misc/sssd.nix
View File

@ -88,9 +88,7 @@ in {
exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@" exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
''; '';
}; };
services.openssh.extraConfig = '' services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
AuthorizedKeysCommand /etc/ssh/authorized_keys_command services.openssh.authorizedKeysCommandUser = "nobody";
AuthorizedKeysCommandUser nobody
'';
})]; })];
} }

22
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -238,6 +238,26 @@ in
description = "Files from which authorized keys are read."; description = "Files from which authorized keys are read.";
}; };
authorizedKeysCommand = mkOption {
type = types.str;
default = "none";
description = ''
Specifies a program to be used to look up the user's public
keys. The program must be owned by root, not writable by group
or others and specified by an absolute path.
'';
};
authorizedKeysCommandUser = mkOption {
type = types.str;
default = "nobody";
description = ''
Specifies the user under whose account the AuthorizedKeysCommand
is run. It is recommended to use a dedicated user that has no
other role on the host than running authorized keys commands.
'';
};
kexAlgorithms = mkOption { kexAlgorithms = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ default = [
@ -485,6 +505,8 @@ in
PrintMotd no # handled by pam_motd PrintMotd no # handled by pam_motd
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
${flip concatMapStrings cfg.hostKeys (k: '' ${flip concatMapStrings cfg.hostKeys (k: ''
HostKey ${k.path} HostKey ${k.path}