From f15e112da77ade050039d2faa318fab38321abcc Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 11 Mar 2022 22:31:57 +0000 Subject: [PATCH] ssh-ca-vault: by default enable user matches --- ops/nixos/lib/ssh-ca-vault.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ops/nixos/lib/ssh-ca-vault.nix b/ops/nixos/lib/ssh-ca-vault.nix index f14638e3c6..9dc64aaf9f 100644 --- a/ops/nixos/lib/ssh-ca-vault.nix +++ b/ops/nixos/lib/ssh-ca-vault.nix @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{ config, lib, ... }: +{ config, lib, pkgs, ... }: let inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings; @@ -30,9 +30,18 @@ in { services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + '' TrustedUserCAKeys ${../../secrets/client-ca.pub} + AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u + AuthorizedPrincipalsCommandUser sshd AuthorizedPrincipalsFile %h/.ssh/authorized_principals AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u ''; + environment.etc."ssh/authorized_principals_cmd" = { + mode = "0555"; + text = '' + #!${pkgs.stdenv.shell} + echo "$1" + ''; + }; environment.etc."ssh/authorized_principals.d/root".text = '' lukegb