about summary refs log tree commit diff
path: root/nixos
diff options
context:
space:
mode:
authoradisbladis <adisbladis@gmail.com>2020-03-03 23:33:38 +0000
committeradisbladis <adisbladis@gmail.com>2020-11-24 02:47:07 +0100
commitba1fa0c60406a21b933f5cb1625e80ac0da84f50 (patch)
tree6732f838853445c77acbefce24c2167b9d9e797c /nixos
parent5917193cefbac368bb979500e62bf6ace4cfa8b4 (diff)
pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles
If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.
Diffstat (limited to 'nixos')
-rw-r--r--nixos/doc/manual/release-notes/rl-2103.xml7
-rw-r--r--nixos/modules/security/pam.nix2
-rw-r--r--nixos/modules/services/networking/ssh/sshd.nix2
3 files changed, 9 insertions, 2 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2103.xml b/nixos/doc/manual/release-notes/rl-2103.xml
index fda0f8ea074df..3186eb7449fe6 100644
--- a/nixos/doc/manual/release-notes/rl-2103.xml
+++ b/nixos/doc/manual/release-notes/rl-2103.xml
@@ -107,6 +107,13 @@
      </para>
    </listitem>
    <listitem>
+     <para>
+       Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.
+
+       WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!
+     </para>
+   </listitem>
+   <listitem>
     <para>
      The option <option>fonts.enableFontDir</option> has been renamed to
      <xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index a517f9e51ce17..a428103eaa963 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -396,7 +396,7 @@ let
           ${optionalString cfg.logFailures
               "auth required pam_tally.so"}
           ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
-              "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
+              "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}
           ${optionalString cfg.fprintAuth
               "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
           ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 1b745931c4fa8..3cc77e4cb9387 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -477,7 +477,7 @@ in
     # https://github.com/NixOS/nixpkgs/pull/10155
     # https://github.com/NixOS/nixpkgs/pull/41745
     services.openssh.authorizedKeysFiles =
-      [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
+      [ "%h/.ssh/authorized_keys" "%h/.ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
 
     services.openssh.extraConfig = mkOrder 0
       ''
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-14 16:45:48 +0000