From 12aecf83ed7a4f877b216888149f3de9678545f9 Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Sun, 8 Sep 2019 00:25:51 +0000 Subject: nixos/ssh: add authorizedKeysCommand{,User} options --- .../nixos/modules/services/networking/ssh/sshd.nix | 24 ++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) (limited to 'nixpkgs') diff --git a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix index c7607dac4298..df4fed46d34a 100644 --- a/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixpkgs/nixos/modules/services/networking/ssh/sshd.nix @@ -228,6 +228,18 @@ in ''; }; + authorizedKeysCommand = mkOption { + type = types.nullOr types.path; + default = null; + description = "Program to look up public keys"; + }; + + authorizedKeysCommandUser = mkOption { + type = types.str; + default = "ssh_authorized_keys"; + description = "User under whose account authorizedKeysCommand is run"; + }; + authorizedKeysFiles = mkOption { type = types.listOf types.str; default = []; @@ -354,10 +366,14 @@ in config = mkIf cfg.enable { - users.users.sshd = - { isSystemUser = true; + users.users = { + sshd = { + isSystemUser = true; description = "SSH privilege separation user"; }; + } // (optionalAttrs (cfg.authorizedKeysCommand != null) { + ${cfg.authorizedKeysCommandUser} = {}; + }); services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; @@ -487,6 +503,10 @@ in PrintMotd no # handled by pam_motd + ${optionalString (cfg.authorizedKeysCommand != null) '' + AuthorizedKeysCommand ${cfg.authorizedKeysCommand} + AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser} + ''} AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ${flip concatMapStrings cfg.hostKeys (k: '' -- cgit 1.4.1