nixos/ssh: Make `~/.ssh/authorized_keys` optional in AuthorizedKeysFiles (#279894)

author: nicoo <nicoo@debian.org> 2024-05-06 01:11:03 +0000
committer: GitHub <noreply@github.com> 2024-05-06 01:11:03 +0000
commit: db5f88c41a638e4ff1f67a61310a6e958eaa07a8 (patch)
tree: 99adaeea01ff339443b621a74ecc538f88922b21 /nixos/modules
parent: 853580ca64d94b47e728133437dc26a8e4132ea6 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index c62bccd462d33..0fdb708bf052f 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -296,6 +296,17 @@ in
         '';
       };
 
+      authorizedKeysInHomedir = mkOption {
+        type = types.bool;
+        default = true;
+        description = ''
+          Enables the use of the `~/.ssh/authorized_keys` file.
+
+          Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`,
+          *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys).
+        '';
+      };
+
       authorizedKeysCommand = mkOption {
         type = types.str;
         default = "none";
@@ -635,7 +646,7 @@ in
     # https://github.com/NixOS/nixpkgs/pull/10155
     # https://github.com/NixOS/nixpkgs/pull/41745
     services.openssh.authorizedKeysFiles =
-      [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ];
+      lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ];
 
     services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u";
author	nicoo <nicoo@debian.org>	2024-05-06 01:11:03 +0000
committer	GitHub <noreply@github.com>	2024-05-06 01:11:03 +0000
commit	db5f88c41a638e4ff1f67a61310a6e958eaa07a8 (patch)
tree	99adaeea01ff339443b621a74ecc538f88922b21 /nixos/modules
parent	853580ca64d94b47e728133437dc26a8e4132ea6 (diff)