movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 19:55:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/ssh: Make ~/.ssh/authorized_keys optional in AuthorizedKeysFiles (#279894)

Browse source
This commit is contained in:
nicoo 2024-05-06 01:11:03 +00:00 committed by GitHub
parent 853580ca64
commit db5f88c41a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 23 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

13
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -296,6 +296,17 @@ in
'';
};
authorizedKeysInHomedir = mkOption {
type = types.bool;
default = true;
description = ''
Enables the use of the `~/.ssh/authorized_keys` file.
Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`,
*i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys).
'';
};
authorizedKeysCommand = mkOption {
type = types.str;
default = "none";
@ -635,7 +646,7 @@ in
# https://github.com/NixOS/nixpkgs/pull/10155
# https://github.com/NixOS/nixpkgs/pull/41745
services.openssh.authorizedKeysFiles =
[ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];
lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ];
services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";