nixos/ssh: add authorizedKeysCommand{,User} options

1 files changed, 22 insertions, 2 deletions

diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix
index c7607dac4298..df4fed46d34a 100644
--- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix
@@ -228,6 +228,18 @@ in
         '';
       };
 
+      authorizedKeysCommand = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = "Program to look up public keys";
+      };
+
+      authorizedKeysCommandUser = mkOption {
+        type = types.str;
+        default = "ssh_authorized_keys";
+        description = "User under whose account authorizedKeysCommand is run";
+      };
+
       authorizedKeysFiles = mkOption {
         type = types.listOf types.str;
         default = [];
@@ -354,10 +366,14 @@ in
 
   config = mkIf cfg.enable {
 
-    users.users.sshd =
-      { isSystemUser = true;
+    users.users = {
+      sshd = {
+        isSystemUser = true;
         description = "SSH privilege separation user";
       };
+    } // (optionalAttrs (cfg.authorizedKeysCommand != null) {
+      ${cfg.authorizedKeysCommandUser} = {};
+    });
 
     services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
 
@@ -487,6 +503,10 @@ in
 
         PrintMotd no # handled by pam_motd
 
+        ${optionalString (cfg.authorizedKeysCommand != null) ''
+          AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
+          AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}
+        ''}
         AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
 
         ${flip concatMapStrings cfg.hostKeys (k: ''