diff options
author | Alyssa Ross <hi@alyssa.is> | 2024-05-21 11:19:54 +0200 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2024-05-21 11:19:54 +0200 |
commit | 1f7ea1acad1207378e325dd0d6527a983d7192b5 (patch) | |
tree | 38c0985697418e959e9c872b1afde54f9e6880f2 /nixpkgs/nixos/modules/services/networking/ssh/sshd.nix | |
parent | a4ffc889571c7100467c7aa1ccae5a4d8373089f (diff) | |
parent | 6c0b7a92c30122196a761b440ac0d46d3d9954f1 (diff) | |
download | nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.gz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.bz2 nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.lz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.xz nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.tar.zst nixlib-1f7ea1acad1207378e325dd0d6527a983d7192b5.zip |
Merge remote-tracking branch 'nixpkgs/nixos-unstable'
Diffstat (limited to 'nixpkgs/nixos/modules/services/networking/ssh/sshd.nix')
-rw-r--r-- | nixpkgs/nixos/modules/services/networking/ssh/sshd.nix | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index bc95679d5d3c..57ca2b85bed2 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -296,6 +296,17 @@ in ''; }; + authorizedKeysInHomedir = mkOption { + type = types.bool; + default = true; + description = '' + Enables the use of the `~/.ssh/authorized_keys` file. + + Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`, + *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys). + ''; + }; + authorizedKeysCommand = mkOption { type = types.str; default = "none"; @@ -637,7 +648,7 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; |