pyrox.dev / nixpkgs
lol
fork atom

nixos/sshd: enable root ssh authorized_keys provisioning

This enables provisioning of root ssh keys with systemd credentials
(e.g. passed in via smbios strings or kernel params)

Marie Ramlow 0ea1aedc afeb76d6

options
unified split
Changed files
+6 -3
nixos
modules
services
networking
ssh
sshd.nix
tests
openssh.nix
+6
nixos/modules/services/networking/ssh/sshd.nix 
···

       
560

       
560

       
 

       
        "ssh/sshd_config".source = sshconf;


     

       
561

       
561

       
 

       
      };


     

       
562

       
562

       
 

       



     

       

       
563

       
+

       
    systemd.tmpfiles.settings."ssh-root-provision" = {


     

       

       
564

       
+

       
      "/root"."d-" = { user = "root"; group = ":root"; mode = ":700"; };


     

       

       
565

       
+

       
      "/root/.ssh"."d-" = { user = "root"; group = ":root"; mode = ":700"; };


     

       

       
566

       
+

       
      "/root/.ssh/authorized_keys"."f^" = { user = "root"; group = ":root"; mode = ":600"; argument = "ssh.authorized_keys.root"; };


     

       

       
567

       
+

       
    };


     

       

       
568

       
+

       



     

       
563

       
569

       
 

       
    systemd =


     

       
564

       
570

       
 

       
      {


     

       
565

       
571

       
 

       
        sockets.sshd = lib.mkIf cfg.startWhenNeeded {
-3
nixos/tests/openssh.nix 
···

       
174

       
174

       
 

       
    server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)


     

       
175

       
175

       
 

       



     

       
176

       
176

       
 

       
    with subtest("manual-authkey"):


     

       
177

       

       
-

       
        client.succeed("mkdir -m 700 /root/.ssh")


     

       
178

       
177

       
 

       
        client.succeed(


     

       
179

       
178

       
 

       
            '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'


     

       
180

       
179

       
 

       
        )


     
···

       
184

       
183

       
 

       
        public_key = public_key.strip()


     

       
185

       
184

       
 

       
        client.succeed("chmod 600 /root/.ssh/id_ed25519")


     

       
186

       
185

       
 

       



     

       
187

       

       
-

       
        server.succeed("mkdir -m 700 /root/.ssh")


     

       
188

       
186

       
 

       
        server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))


     

       
189

       

       
-

       
        server_lazy.succeed("mkdir -m 700 /root/.ssh")


     

       
190

       
187

       
 

       
        server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))


     

       
191

       
188

       
 

       



     

       
192

       
189

       
 

       
        client.wait_for_unit("network.target")