b12f: enable u2f for login, update ssh keys

2024-02-04 01:04:42 +01:00 · 2024-02-04 01:04:42 +01:00 · 5fe27940b4
parent af0d54a64d
commit 5fe27940b4
2 changed files with 4 additions and 1 deletions
--- a/users/b12f/ssh.nix
+++ b/users/b12f/ssh.nix
@ -26,14 +26,17 @@ in {
  home-manager.users."${psCfg.user.name}" = {
    home.file.".ssh/id_ed25519_sk-464.pub".text = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464";
    home.file.".ssh/id_ed25519_sk-485.pub".text = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485";
+    home.file.".ssh/id_nistp256-748.pub".text = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= YubiKey #10166748 PIV Slot 9a";

    programs.ssh = {
      enable = true;
      matchBlocks = {
        "*" = {
+          identitiesOnly = true;
          identityFile = [
            "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-464"
            "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-485"
+            "/home/${psCfg.user.name}/.ssh/id_nistp256-748.pub"
          ];
        };

--- a/users/b12f/u2f.nix
+++ b/users/b12f/u2f.nix
@ -16,7 +16,7 @@ in {
  };

  security.pam.services = {
-    login.u2fAuth = false;
+    login.u2fAuth = true;
    sudo.u2fAuth = true;
  };
 }