From c40d7d5b6deeb459762d0551ad1bd38173f55b45 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:37:12 +1100 Subject: [PATCH] test: try sudo.sshagentauth --- nixos/hosts/common/nixos/openssh.nix | 5 ++++- nixos/hosts/images/sd-image/default.nix | 10 +++------- nixos/hosts/nixosvm/default.nix | 3 +++ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/nixos/hosts/common/nixos/openssh.nix b/nixos/hosts/common/nixos/openssh.nix index 4290b6b..6dda998 100644 --- a/nixos/hosts/common/nixos/openssh.nix +++ b/nixos/hosts/common/nixos/openssh.nix @@ -8,6 +8,7 @@ let hosts = outputs.nixosConfigurations; in { + services.openssh = { enable = true; settings = { @@ -18,9 +19,11 @@ in StreamLocalBindUnlink = "yes"; # Allow forwarding ports to everywhere GatewayPorts = "clientspecified"; + # Don't allow home-directory authorized_keys + }; }; - # Passwordless sudo when SSH'ing with keys security.pam.enableSSHAgentAuth = true; + } diff --git a/nixos/hosts/images/sd-image/default.nix b/nixos/hosts/images/sd-image/default.nix index 229b25c..003227a 100644 --- a/nixos/hosts/images/sd-image/default.nix +++ b/nixos/hosts/images/sd-image/default.nix @@ -77,13 +77,9 @@ ]; }; - security.pam.sshAgentAuth = { - # Passwordless sudo when SSH'ing with keys - enable = true; - authorizedKeysFiles = [ - "/etc/ssh/authorized_keys.d/%u" - ]; - }; + # Passwordless sudo when SSH'ing with keys + security.pam.enableSSHAgentAuth = true; + security.pam.services.sudo.sshAgentAuth = true; # Free up to 1GiB whenever there is less than 100MiB left. nix.extraOptions = '' diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix index a540998..8bb00e2 100644 --- a/nixos/hosts/nixosvm/default.nix +++ b/nixos/hosts/nixosvm/default.nix @@ -29,6 +29,9 @@ networking.hostName = "nixosvm"; # Define your hostname. + # Passwordless sudo when SSH'ing with keys + security.pam.enableSSHAgentAuth = true; + security.pam.services.sudo.sshAgentAuth = true; # Pick only one of the below networking options.