test: try sudo.sshagentauth

2024-03-21 14:37:12 +11:00 · 2024-03-21 14:37:12 +11:00 · c40d7d5b6d
commit c40d7d5b6d
parent a8237efb4d
3 changed files with 10 additions and 8 deletions
--- a/nixos/hosts/common/nixos/openssh.nix
+++ b/nixos/hosts/common/nixos/openssh.nix
@ -8,6 +8,7 @@ let
  hosts = outputs.nixosConfigurations;
 in
 {
+
  services.openssh = {
    enable = true;
    settings = {
@ -18,9 +19,11 @@ in
      StreamLocalBindUnlink = "yes";
      # Allow forwarding ports to everywhere
      GatewayPorts = "clientspecified";
+      # Don't allow home-directory authorized_keys
+
    };
  };

-  # Passwordless sudo when SSH'ing with keys
  security.pam.enableSSHAgentAuth = true;
+
 }
--- a/nixos/hosts/images/sd-image/default.nix
+++ b/nixos/hosts/images/sd-image/default.nix
@ -77,13 +77,9 @@
    ];
  };

-  security.pam.sshAgentAuth = {
  # Passwordless sudo when SSH'ing with keys
-    enable = true;
-    authorizedKeysFiles = [
-      "/etc/ssh/authorized_keys.d/%u"
-    ];
-  };
+  security.pam.enableSSHAgentAuth = true;
+  security.pam.services.sudo.sshAgentAuth = true;

  # Free up to 1GiB whenever there is less than 100MiB left.
  nix.extraOptions = ''
--- a/nixos/hosts/nixosvm/default.nix
+++ b/nixos/hosts/nixosvm/default.nix
@ -29,6 +29,9 @@

  networking.hostName = "nixosvm"; # Define your hostname.

+  # Passwordless sudo when SSH'ing with keys
+  security.pam.enableSSHAgentAuth = true;
+  security.pam.services.sudo.sshAgentAuth = true;


  # Pick only one of the below networking options.