diff options
author | nicoo <nicoo@debian.org> | 2024-05-06 01:11:03 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-06 01:11:03 +0000 |
commit | db5f88c41a638e4ff1f67a61310a6e958eaa07a8 (patch) | |
tree | 99adaeea01ff339443b621a74ecc538f88922b21 /nixos/modules | |
parent | 853580ca64d94b47e728133437dc26a8e4132ea6 (diff) |
nixos/ssh: Make `~/.ssh/authorized_keys` optional in AuthorizedKeysFiles (#279894)
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index c62bccd462d33..0fdb708bf052f 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -296,6 +296,17 @@ in ''; }; + authorizedKeysInHomedir = mkOption { + type = types.bool; + default = true; + description = '' + Enables the use of the `~/.ssh/authorized_keys` file. + + Otherwise, the only files trusted by default are those in `/etc/ssh/authorized_keys.d`, + *i.e.* SSH keys from [](#opt-users.users._name_.openssh.authorizedKeys.keys). + ''; + }; + authorizedKeysCommand = mkOption { type = types.str; default = "none"; @@ -635,7 +646,7 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ "%h/.ssh/authorized_keys" "/etc/ssh/authorized_keys.d/%u" ]; + lib.optional cfg.authorizedKeysInHomedir "%h/.ssh/authorized_keys" ++ [ "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.settings.AuthorizedPrincipalsFile = mkIf (authPrincipalsFiles != {}) "/etc/ssh/authorized_principals.d/%u"; |