Merge pull request #82413 from aanderse/authorized-keys-command

nixos/sshd: add authorizedKeysCommand and authorizedKeysCommandUser options
2020-03-14 23:58:47 +01:00 · 2020-03-14 23:58:47 +01:00 · 74f451b851
parent 68db99ad97 dbe59eca84
commit 74f451b851
4 changed files with 35 additions and 8 deletions
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@ -28,6 +28,15 @@
     PHP now defaults to PHP 7.4, updated from 7.3.
    </para>
   </listitem>
+   <listitem>
+    <para>
+     Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link>
+     and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have
+     been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal>
+     in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should
+     make use of these new options instead.
+    </para>
+   </listitem>
  </itemizedlist>
 </section>

--- a/nixos/modules/security/google_oslogin.nix
+++ b/nixos/modules/security/google_oslogin.nix
@ -59,10 +59,8 @@ in
        exec ${package}/bin/google_authorized_keys "$@"
      '';
    };
-    services.openssh.extraConfig = ''
-      AuthorizedKeysCommand /etc/ssh/authorized_keys_command_google_oslogin %u
-      AuthorizedKeysCommandUser nobody
-    '';
+    services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command_google_oslogin %u";
+    services.openssh.authorizedKeysCommandUser = "nobody";
  };

 }
--- a/nixos/modules/services/misc/sssd.nix
+++ b/nixos/modules/services/misc/sssd.nix
@ -88,9 +88,7 @@ in {
        exec ${pkgs.sssd}/bin/sss_ssh_authorizedkeys "$@"
      '';
    };
-    services.openssh.extraConfig = ''
-      AuthorizedKeysCommand /etc/ssh/authorized_keys_command
-      AuthorizedKeysCommandUser nobody
-    '';
+    services.openssh.authorizedKeysCommand = "/etc/ssh/authorized_keys_command";
+    services.openssh.authorizedKeysCommandUser = "nobody";
  })];
 }
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -238,6 +238,26 @@ in
        description = "Files from which authorized keys are read.";
      };

+      authorizedKeysCommand = mkOption {
+        type = types.str;
+        default = "none";
+        description = ''
+          Specifies a program to be used to look up the user's public
+          keys. The program must be owned by root, not writable by group
+          or others and specified by an absolute path.
+        '';
+      };
+
+      authorizedKeysCommandUser = mkOption {
+        type = types.str;
+        default = "nobody";
+        description = ''
+          Specifies the user under whose account the AuthorizedKeysCommand
+          is run. It is recommended to use a dedicated user that has no
+          other role on the host than running authorized keys commands.
+        '';
+      };
+
      kexAlgorithms = mkOption {
        type = types.listOf types.str;
        default = [
@ -485,6 +505,8 @@ in
        PrintMotd no # handled by pam_motd

        AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
+        AuthorizedKeysCommand ${cfg.authorizedKeysCommand}
+        AuthorizedKeysCommandUser ${cfg.authorizedKeysCommandUser}

        ${flip concatMapStrings cfg.hostKeys (k: ''
          HostKey ${k.path}