b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

ssh: fix ssh login with new yubi keys fido2

Browse source
This commit is contained in:
Benjamin Bädorf 2024-02-03 15:02:24 +01:00
parent 5bc46fc64c
commit 9e23f0bd65
Signed by: b12f
GPG key ID: 729956E1124F8F26
4 changed files with 128 additions and 115 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
secrets/id_ed25519_sk-464.age
View file

Binary file not shown.

3
users/b12f/default.nix
View file

@ -12,6 +12,7 @@ in {
./home.nix ./home.nix
./session-variables.nix ./session-variables.nix
./u2f.nix ./u2f.nix
./ssh.nix
./concepts-and-training.nix ./concepts-and-training.nix
./ehex.nix ./ehex.nix
./email ./email
@ -40,7 +41,7 @@ in {
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmiF8ndGhnx2YAWbPDq14fftAwcJ0xnjJIVTotI12OO4SPX/SwH5Yp8C8Kf002qN9FbFmaONzq3s8TYpej13JubhfsQywNuFKZuZvJeHzmOwxsANW86RVrWT0WZmYx9a/a1TF9rPQpibDVt60wX8yLdExaJc5F1SvIIuyz1kxYpz36wItfR6hcwoLGh1emFCmfCpebJmp3hsrMDTTtTW/YNhyeSZW74ckyvZyjCYtRCJ8uF0ZmOSKRdillv4Ztg8MsUubGn+vaMl6V6x/QuDuehEPoM/3wBx9o22nf+QVbk7S1PC8EdT/K5vskn4/pfR7mDCyQOq1hB4w4Oyn0dsfX pi@ssrtc"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDwyNsGCMuyI9x2IxYEbYIL6oYsEfe1wqhHaRxSnK9oc10ge1LJni5o7g6XgryoQpCD9YenImcCxwkKblmlLQ2327uoVC2PUo07li1uT0eIPk0TQoxwp6besFs7/LEzZlgWQsc3gkEXmjk/E0mu0U6z2fkqciJ/ZxWYt9fLP6jBG47U9878rSaZ7k7Ilv6oRA3suArH189k1nerk/tonS4EWXeHZxHh/Eu0tqwmxN/6+g2GicYn6b+MbFQVdQAkctqT5Yz9USm9UKzbaAuZ799u0dJzagHm9JJZOr8r11ENtAkY9kAzRzm3u/ACiSdVzyLdjAK6m0dIPhp3OhedzuHiI6/wRll60tYtQTH1XwUpVbtir3+DT+jwZgO1zH3yL4iNh79kuUo+UEg1ZmGkSZRzSS2vb5qr0J5aSJmCd5sNB7a01PTtSlQPOqSF9PB+UmcLDF7JoKFub0KT/gRZ5neZkXTYQ/Y05qtaaFVlOVISijnm+sLUvKBv6OW8oYXIHBk= b12f@chocolatebar"
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup" "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEST9eyAY3nzGYNnqDYfWHu+89LZsOjyKHMqCFvtP7vrgB7F7JbbECjdjAXEOfPDSCVwtMMpq8JJXeRMjpsD0rw= @b12f Yubi Backup"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKOpBCq5YqEVi4sKAZHk82luuf+DSvsPeRxsHYTVPJdZAAAACHNzaDpiMTJm yubi@464" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464"
"sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485"
]; ];
}; };

114
users/b12f/home.nix
View file

@ -9,127 +9,13 @@ with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
age.secrets."id_ed25519_sk-464" = {
file = "${flake.self}/secrets/id_ed25519_sk-464.age";
mode = "400";
owner = psCfg.user.name;
path = "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-464";
};
age.secrets."id_ed25519_sk-485" = {
file = "${flake.self}/secrets/id_ed25519_sk-485.age";
mode = "400";
owner = psCfg.user.name;
path = "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-485";
};
home-manager.users."${psCfg.user.name}" = { home-manager.users."${psCfg.user.name}" = {
home.packages = [ home.packages = [
pkgs.zoom-us pkgs.zoom-us
]; ];
programs.ssh = {
enable = true;
matchBlocks = {
"*" = {
identityFile = [
"/home/${psCfg.user.name}/.ssh/id_ed25519_sk-464"
"/home/${psCfg.user.name}/.ssh/id_ed25519_sk-485"
];
};
"git.pub.solar" = {
user = "gitea";
};
"aur.archlinux.org" = {
user = "aur";
};
"leavieler.art" = {
hostname = "web5svsvy.wh.hosting.zone";
user = "web5svsvy_cgzqa3";
port = 2244;
};
"benjaminbaedorf.eu" = {
hostname = "web5svsvy.wh.hosting.zone";
user = "web5svsvy_cgzqa3";
port = 2244;
};
"miom.space" = {
hostname = "web7dgkba.wh.hosting.zone";
user = "web7dgkba_c9em8f";
port = 2244;
};
"latenight.blue" = {
hostname = "latenight.blue";
user = "lnb";
extraOptions = {
MACs = "hmac-sha2-512-etm@openssh.com";
};
};
"blacktea.io" = {
hostname = "latenight.blue";
user = "lnb";
extraOptions = {
MACs = "hmac-sha2-512-etm@openssh.com";
};
};
"laurakirst.de" = {
hostname = "webj4bsux.wh.hosting.zone";
user = "webj4bsux_36qkrk";
port = 2244;
};
"lipperschwabe.design" = {
hostname = "webugit4m.wh.hosting.zone";
user = "webugit4m_snjhrn";
port = 2244;
};
"pie.local" = {
hostname = "pie.local";
user = "yule";
};
"pie.b12f.io" = {
user = "yule";
};
"frikandel-initrd.b12f.io" = {
user = "root";
port = 2222;
};
"frikandel.b12f.io" = {
user = "yule";
};
"droppie.b12f.io" = {
user = "yule";
};
"nachtigall.pub.solar" = {
user = "barkeeper";
};
"flora-6.pub.solar" = {
user = "barkeeper";
};
};
};
programs.bash.initExtra = '' programs.bash.initExtra = ''
source ${config.age.secrets.b12f-env-secrets.path} source ${config.age.secrets.b12f-env-secrets.path}
''; '';
}; };
programs.ssh.extraConfig = "
PubkeyAcceptedKeyTypes +ssh-rsa
";
} }

126
users/b12f/ssh.nix Normal file
View file

@ -0,0 +1,126 @@
{
config,
pkgs,
lib,
flake,
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
age.secrets."id_ed25519_sk-464" = {
file = "${flake.self}/secrets/id_ed25519_sk-464.age";
mode = "400";
owner = psCfg.user.name;
path = "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-464";
};
age.secrets."id_ed25519_sk-485" = {
file = "${flake.self}/secrets/id_ed25519_sk-485.age";
mode = "400";
owner = psCfg.user.name;
path = "/home/${psCfg.user.name}/.ssh/id_ed25519_sk-485";
};
home-manager.users."${psCfg.user.name}" = {
home.file.".ssh/id_ed25519_sk-464.pub".text = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIHUbowjUtBiOPWi+TCHGToFwIsMDY6s7IRev6buVVdWxAAAACHNzaDpiMTJm yubi@464";
home.file.".ssh/id_ed25519_sk-485.pub".text = "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDyxaJNw0jXREOzQfa0E2RQE/xLD/VddDldbdSmS8uf9AAAACHNzaDpiMTJm yubi@485";
programs.ssh = {
enable = true;
matchBlocks = {
"*" = {
identityFile = [
"/home/${psCfg.user.name}/.ssh/id_ed25519_sk-464"
"/home/${psCfg.user.name}/.ssh/id_ed25519_sk-485"
];
};
"git.pub.solar" = {
user = "gitea";
};
"aur.archlinux.org" = {
user = "aur";
};
"leavieler.art" = {
hostname = "web5svsvy.wh.hosting.zone";
user = "web5svsvy_cgzqa3";
port = 2244;
};
"benjaminbaedorf.eu" = {
hostname = "web5svsvy.wh.hosting.zone";
user = "web5svsvy_cgzqa3";
port = 2244;
};
"miom.space" = {
hostname = "web7dgkba.wh.hosting.zone";
user = "web7dgkba_c9em8f";
port = 2244;
};
"latenight.blue" = {
hostname = "latenight.blue";
user = "lnb";
extraOptions = {
MACs = "hmac-sha2-512-etm@openssh.com";
};
};
"blacktea.io" = {
hostname = "latenight.blue";
user = "lnb";
extraOptions = {
MACs = "hmac-sha2-512-etm@openssh.com";
};
};
"laurakirst.de" = {
hostname = "webj4bsux.wh.hosting.zone";
user = "webj4bsux_36qkrk";
port = 2244;
};
"lipperschwabe.design" = {
hostname = "webugit4m.wh.hosting.zone";
user = "webugit4m_snjhrn";
port = 2244;
};
"pie.local" = {
hostname = "pie.local";
user = "yule";
};
"pie.b12f.io" = {
user = "yule";
};
"frikandel-initrd.b12f.io" = {
user = "root";
port = 2222;
};
"frikandel.b12f.io" = {
user = "yule";
};
"droppie.b12f.io" = {
user = "yule";
};
"nachtigall.pub.solar" = {
user = "barkeeper";
};
"flora-6.pub.solar" = {
user = "barkeeper";
};
};
};
};
}