From bad3be757463efda60a59e9edd0629d28aaf0bb6 Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Thu, 5 Nov 2020 01:50:16 +0000 Subject: [PATCH] ops: tweak SSH auth; add red solo SK-resident key --- ops/nixos/lib/client.nix | 1 + ops/nixos/lib/common.nix | 4 ++-- ops/secrets/lukegb_red_solo.pub | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 ops/secrets/lukegb_red_solo.pub diff --git a/ops/nixos/lib/client.nix b/ops/nixos/lib/client.nix index 10ea35cec5..7cb77d77a1 100644 --- a/ops/nixos/lib/client.nix +++ b/ops/nixos/lib/client.nix @@ -9,6 +9,7 @@ in { config = { my.home-manager.imports = lib.mkAfter [ ./home-manager/client.nix ]; + programs.ssh.startAgent = true; nix.gc.automatic = false; }; } diff --git a/ops/nixos/lib/common.nix b/ops/nixos/lib/common.nix index 4484dc9413..4cfb9837e9 100644 --- a/ops/nixos/lib/common.nix +++ b/ops/nixos/lib/common.nix @@ -57,8 +57,7 @@ in }; environment.homeBinInPath = true; - security.doas.wheelNeedsPassword = false; - security.sudo.wheelNeedsPassword = false; + security.pam.enableSSHAgentAuth = true; users.mutableUsers = false; users.users = let secrets = depot.ops.secrets; in { @@ -74,6 +73,7 @@ in ../../secrets/lukegb_porcorosso_win.pub ../../secrets/lukegb_porcorosso_wsl.pub ../../secrets/lukegb_porcorosso_linux.pub + ../../secrets/lukegb_red_solo.pub ]; }; deployer = { diff --git a/ops/secrets/lukegb_red_solo.pub b/ops/secrets/lukegb_red_solo.pub new file mode 100644 index 0000000000..b395bfd202 --- /dev/null +++ b/ops/secrets/lukegb_red_solo.pub @@ -0,0 +1 @@ +sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBAgBXCPpGxeapXvRW8z+/ZFMXvZ9q+Z2mcn5ApCSKqkS7CQjlzTj7Z21/DRQEXQALALLyqfFhcDm1VZkEp/ruBYAAAAEc3NoOg== lukegb-red-solo-key