diff options
author | adisbladis <adisbladis@gmail.com> | 2020-03-03 23:33:38 +0000 |
---|---|---|
committer | adisbladis <adisbladis@gmail.com> | 2020-11-24 02:47:07 +0100 |
commit | ba1fa0c60406a21b933f5cb1625e80ac0da84f50 (patch) | |
tree | 6732f838853445c77acbefce24c2167b9d9e797c /nixos/modules | |
parent | 5917193cefbac368bb979500e62bf6ace4cfa8b4 (diff) |
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this should be taken into account by `sudo`.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/pam.nix | 2 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a517f9e51ce17..a428103eaa963 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -396,7 +396,7 @@ let ${optionalString cfg.logFailures "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) - "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} + "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"} ${optionalString cfg.fprintAuth "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 1b745931c4fa8..3cc77e4cb9387 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -477,7 +477,7 @@ in # https://github.com/NixOS/nixpkgs/pull/10155 # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = - [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; + [ "%h/.ssh/authorized_keys" "%h/.ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; services.openssh.extraConfig = mkOrder 0 '' |