pyrox.dev / nixpkgs
lol
fork atom

pam_ssh_agent_auth: Honour services.openssh.authorizedKeysFiles

If a system administrator has explicitly configured key locations this
should be taken into account by `sudo`.

adisbladis ba1fa0c6 5917193c

options
unified split
Changed files
+9 -2
nixos
doc
manual
release-notes
rl-2103.xml
modules
security
pam.nix
services
networking
ssh
sshd.nix
+7
nixos/doc/manual/release-notes/rl-2103.xml 
···

       
107

       
107

       
 

       
     </para>


     

       
108

       
108

       
 

       
   </listitem>


     

       
109

       
109

       
 

       
   <listitem>


     

       

       
110

       
+

       
     <para>


     

       

       
111

       
+

       
       Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.


     

       

       
112

       
+

       



     

       

       
113

       
+

       
       WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!


     

       

       
114

       
+

       
     </para>


     

       

       
115

       
+

       
   </listitem>


     

       

       
116

       
+

       
   <listitem>


     

       
110

       
117

       
 

       
    <para>


     

       
111

       
118

       
 

       
     The option <option>fonts.enableFontDir</option> has been renamed to


     

       
112

       
119

       
 

       
     <xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory
+1 -1
nixos/modules/security/pam.nix 
···

       
396

       
396

       
 

       
          ${optionalString cfg.logFailures


     

       
397

       
397

       
 

       
              "auth required pam_tally.so"}


     

       
398

       
398

       
 

       
          ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)


     

       
399

       

       
-

       
              "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}


     

       

       
399

       
+

       
              "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}


     

       
400

       
400

       
 

       
          ${optionalString cfg.fprintAuth


     

       
401

       
401

       
 

       
              "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}


     

       
402

       
402

       
 

       
          ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
+1 -1
nixos/modules/services/networking/ssh/sshd.nix 
···

       
477

       
477

       
 

       
    # https://github.com/NixOS/nixpkgs/pull/10155


     

       
478

       
478

       
 

       
    # https://github.com/NixOS/nixpkgs/pull/41745


     

       
479

       
479

       
 

       
    services.openssh.authorizedKeysFiles =


     

       
480

       

       
-

       
      [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];


     

       

       
480

       
+

       
      [ "%h/.ssh/authorized_keys" "%h/.ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];


     

       
481

       
481

       
 

       



     

       
482

       
482

       
 

       
    services.openssh.extraConfig = mkOrder 0


     

       
483

       
483

       
 

       
      ''