ssh-ca-vault: by default enable user matches

This commit is contained in:
Luke Granger-Brown 2022-03-11 22:31:57 +00:00
parent ae97fddae2
commit f15e112da7

View file

@ -2,7 +2,7 @@
# #
# SPDX-License-Identifier: Apache-2.0 # SPDX-License-Identifier: Apache-2.0
{ config, lib, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings; inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
@ -30,9 +30,18 @@ in {
services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + '' services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
TrustedUserCAKeys ${../../secrets/client-ca.pub} TrustedUserCAKeys ${../../secrets/client-ca.pub}
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
AuthorizedPrincipalsCommandUser sshd
AuthorizedPrincipalsFile %h/.ssh/authorized_principals AuthorizedPrincipalsFile %h/.ssh/authorized_principals
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
''; '';
environment.etc."ssh/authorized_principals_cmd" = {
mode = "0555";
text = ''
#!${pkgs.stdenv.shell}
echo "$1"
'';
};
environment.etc."ssh/authorized_principals.d/root".text = '' environment.etc."ssh/authorized_principals.d/root".text = ''
lukegb lukegb