ssh-ca-vault: by default enable user matches
This commit is contained in:
parent
ae97fddae2
commit
f15e112da7
1 changed files with 10 additions and 1 deletions
|
@ -2,7 +2,7 @@
|
|||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
|
||||
{ config, lib, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
inherit (lib) listToAttrs nameValuePair mkAfter concatMapStrings;
|
||||
|
||||
|
@ -30,9 +30,18 @@ in {
|
|||
|
||||
services.openssh.extraConfig = concatMapStrings (c: "HostCertificate ${c}\n") signedPaths + ''
|
||||
TrustedUserCAKeys ${../../secrets/client-ca.pub}
|
||||
AuthorizedPrincipalsCommand /etc/ssh/authorized_principals_cmd %u
|
||||
AuthorizedPrincipalsCommandUser sshd
|
||||
AuthorizedPrincipalsFile %h/.ssh/authorized_principals
|
||||
AuthorizedPrincipalsFile /etc/ssh/authorized_principals.d/%u
|
||||
'';
|
||||
environment.etc."ssh/authorized_principals_cmd" = {
|
||||
mode = "0555";
|
||||
text = ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
echo "$1"
|
||||
'';
|
||||
};
|
||||
|
||||
environment.etc."ssh/authorized_principals.d/root".text = ''
|
||||
lukegb
|
||||
|
|
Loading…
Reference in a new issue