Merge pull request #82413 from aanderse/authorized-keys-command
nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options
This commit is contained in:
commit
74f451b851
@ -28,6 +28,15 @@
|
||||
PHP now defaults to PHP 7.4, updated from 7.3.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
|
||||
and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
|
||||
been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
|
||||
in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
|
||||
make use of these new options instead.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
@ -59,10 +59,8 @@ in
|
||||
exec ${package}/bin/google_authorized_keys "$@"
|
||||
'';
|
||||
};
|
||||
services.openssh.extraConfig = ''
|
||||
AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u
|
||||
AuthorizedKeysCommandUser nobody
|
||||
'';
|
||||
services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u";
|
||||
services.openssh.authorizedKeysCommandUser = "nobody";
|
||||
};
|
||||
|
||||
}
|
||||
|
@ -88,9 +88,7 @@ in {
|
||||
exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
|
||||
'';
|
||||
};
|
||||
services.openssh.extraConfig = ''
|
||||
AuthorizedKeysCommand /etc/ssh/authorized_keys_command
|
||||
AuthorizedKeysCommandUser nobody
|
||||
'';
|
||||
services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
|
||||
services.openssh.authorizedKeysCommandUser = "nobody";
|
||||
})];
|
||||
}
|
||||
|
@ -238,6 +238,26 @@ in
|
||||
description = "Files from which authorized keys are read.";
|
||||
};
|
||||
|
||||
authorizedKeysCommand = mkOption {
|
||||
type = types.str;
|
||||
default = "none";
|
||||
description = ''
|
||||
Specifies a program to be used to look up the user's public
|
||||
keys. The program must be owned by root, not writable by group
|
||||
or others and specified by an absolute path.
|
||||
'';
|
||||
};
|
||||
|
||||
authorizedKeysCommandUser = mkOption {
|
||||
type = types.str;
|
||||
default = "nobody";
|
||||
description = ''
|
||||
Specifies the user under whose account the AuthorizedKeysCommand
|
||||
is run. It is recommended to use a dedicated user that has no
|
||||
other role on the host than running authorized keys commands.
|
||||
'';
|
||||
};
|
||||
|
||||
kexAlgorithms = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
@ -485,6 +505,8 @@ in
|
||||
PrintMotd no # handled by pam_motd
|
||||
|
||||
AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
|
||||
AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
|
||||
AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
|
||||
|
||||
${flip concatMapStrings cfg.hostKeys (k: ''
|
||||
HostKey ${k.path}
|
||||
|
Loading…
Reference in New Issue
Block a user