diff options
Diffstat (limited to 'nixpkgs')
| -rw-r--r-- | nixpkgs/nixos/modules/services/networking/ssh/sshd.nix | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index c7607dac4298..df4fed46d34a 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -228,6 +228,18 @@ in ''; }; + authorizedKeysCommand = mkOption { + type = types.nullOr types.path; + default = null; + description = "Program to look up public keys"; + }; + + authorizedKeysCommandUser = mkOption { + type = types.str; + default = "ssh_authorized_keys"; + description = "User under whose account authorizedKeysCommand is run"; + }; + authorizedKeysFiles = mkOption { type = types.listOf types.str; default = []; @@ -354,10 +366,14 @@ in config = mkIf cfg.enable { - users.users.sshd = - { isSystemUser = true; + users.users = { + sshd = { + isSystemUser = true; description = "SSH privilege separation user"; }; + } // (optionalAttrs (cfg.authorizedKeysCommand != null) { + ${cfg.authorizedKeysCommandUser} = {}; + }); services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; @@ -487,6 +503,10 @@ in PrintMotd no # handled by pam_motd + ${optionalString (cfg.authorizedKeysCommand != null) '' + AuthorizedKeysCommand ${cfg.authorizedKeysCommand} + AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} + ''} AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ${flip concatMapStrings cfg.hostKeys (k: '' |