diff --git a/ops/nixos/lib/ssh-ca-vault.nix b/ops/nixos/lib/ssh-ca-vault.nix index f14638e3c6..9dc64aaf9f 100644 --- a/ops/nixos/lib/ssh-ca-vault.nix +++ b/ops/nixos/lib/ssh-ca-vault.nix @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings; @@ -30,9 +30,18 @@ in { services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + '' TrustedUserCAKeys ${../../secrets/client-ca.pub} + AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u + AuthorizedPrincipalsCommandUser sshd AuthorizedPrincipalsFile %h/.ssh/authorized_principals AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u ''; + environment.etc."ssh/authorized_principals_cmd" = { + mode = "0555"; + text = '' + #!${pkgs.stdenv.shell} + echo "$1" + ''; + }; environment.etc."ssh/authorized_principals.d/root".text = '' lukegb