nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-30 19:02:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/openssh: add support for authorized principals

Browse Source
This commit is contained in:
Aaron Andersen 2023-10-06 12:49:52 -04:00
parent bb71697a42
commit 76fb9da41f
1 changed files with 34 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -74,6 +74,19 @@ let
}; };
}; };
options.openssh.authorizedPrincipals = mkOption {
type = with types; listOf types.singleLineStr;
default = [];
description = mdDoc ''
A list of verbatim principal names that should be added to the user's
authorized principals.
'';
example = [
"example@host"
"foo@bar"
];
};
}; };
authKeysFiles = let authKeysFiles = let
@ -89,6 +102,16 @@ let
)); ));
in listToAttrs (map mkAuthKeyFile usersWithKeys); in listToAttrs (map mkAuthKeyFile usersWithKeys);
authPrincipalsFiles = let
mkAuthPrincipalsFile = u: nameValuePair "ssh/authorized_principals.d/${u.name}" {
mode = "0444";
text = concatStringsSep "\n" u.openssh.authorizedPrincipals;
};
usersWithPrincipals = attrValues (flip filterAttrs config.users.users (n: u:
length u.openssh.authorizedPrincipals != 0
));
in listToAttrs (map mkAuthPrincipalsFile usersWithPrincipals);
in in
{ {
@ -285,6 +308,14 @@ in
type = types.submodule ({name, ...}: { type = types.submodule ({name, ...}: {
freeformType = settingsFormat.type; freeformType = settingsFormat.type;
options = { options = {
AuthorizedPrincipalsFile = mkOption {
type = types.str;
default = "none"; # upstream default
description = lib.mdDoc ''
Specifies a file that lists principal names that are accepted for certificate authentication. The default
is `"none"`, i.e. not to use a principals file.
'';
};
LogLevel = mkOption { LogLevel = mkOption {
type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ]; type = types.enum [ "QUIET" "FATAL" "ERROR" "INFO" "VERBOSE" "DEBUG" "DEBUG1" "DEBUG2" "DEBUG3" ];
default = "INFO"; # upstream default default = "INFO"; # upstream default
@ -444,7 +475,7 @@ in
services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server"; services.openssh.sftpServerExecutable = mkDefault "${cfgc.package}/libexec/sftp-server";
environment.etc = authKeysFiles // environment.etc = authKeysFiles // authPrincipalsFiles //
{ "ssh/moduli".source = cfg.moduliFile; { "ssh/moduli".source = cfg.moduliFile;
"ssh/sshd_config".source = sshconf; "ssh/sshd_config".source = sshconf;
}; };
@ -541,6 +572,8 @@ in
services.openssh.authorizedKeysFiles = services.openssh.authorizedKeysFiles =
[ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];
services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";
services.openssh.extraConfig = mkOrder 0 services.openssh.extraConfig = mkOrder 0
'' ''
UsePAM yes UsePAM yes