ssh-ca-vault: by default enable user matches
This commit is contained in:
parent
ae97fddae2
commit
f15e112da7
1 changed files with 10 additions and 1 deletions
|
@ -2,7 +2,7 @@
|
||||||
#
|
#
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0
|
||||||
|
|
||||||
{ config, lib, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
|
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
|
||||||
|
|
||||||
|
@ -30,9 +30,18 @@ in {
|
||||||
|
|
||||||
services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
|
services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
|
||||||
TrustedUserCAKeys ${../../secrets/client-ca.pub}
|
TrustedUserCAKeys ${../../secrets/client-ca.pub}
|
||||||
|
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
|
||||||
|
AuthorizedPrincipalsCommandUser sshd
|
||||||
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
|
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
|
||||||
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
|
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
|
||||||
'';
|
'';
|
||||||
|
environment.etc."ssh/authorized_principals_cmd" = {
|
||||||
|
mode = "0555";
|
||||||
|
text = ''
|
||||||
|
#!${pkgs.stdenv.shell}
|
||||||
|
echo "$1"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
environment.etc."ssh/authorized_principals.d/root".text = ''
|
environment.etc."ssh/authorized_principals.d/root".text = ''
|
||||||
lukegb
|
lukegb
|
||||||
|
|
Loading…
Reference in a new issue