generating ssh user CA file
This commit is contained in:
John Lancaster
1
keys/ssh_user_ca.pub
Normal file
1
keys/ssh_user_ca.pub
Normal file
@@ -0,0 +1 @@
|
|||||||
|
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpgz9xYE3K+JeQ7vtDA07iWlp0xTXB+G8MBzX6/RluXs8E6v+ahx90M093EYIOImaW6npWQ0JnFtmZaet5l9Ao=
|
||||||
@@ -40,7 +40,7 @@ in
|
|||||||
imports = with inputs.self.modules.nixos; [ ssh ];
|
imports = with inputs.self.modules.nixos; [ ssh ];
|
||||||
# NixOS Config
|
# NixOS Config
|
||||||
config = {
|
config = {
|
||||||
ssh.certificates = true;
|
ssh.certificates.enable = true;
|
||||||
home-manager.sharedModules = with inputs.self.modules; [
|
home-manager.sharedModules = with inputs.self.modules; [
|
||||||
homeManager.step-client
|
homeManager.step-client
|
||||||
];
|
];
|
||||||
|
|||||||
@@ -3,20 +3,43 @@ let
|
|||||||
userName = "john";
|
userName = "john";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
flake.modules.nixos.ssh = { pkgs, config, lib, ... }: {
|
flake.modules.nixos.ssh = { pkgs, config, lib, ... }:
|
||||||
options = {
|
let
|
||||||
ssh.certificates = lib.mkEnableOption "Enable SSH certificates";
|
cfg = config.ssh;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.ssh = {
|
||||||
|
certificates = {
|
||||||
|
enable = lib.mkEnableOption "Enable SSH certificates";
|
||||||
|
userCA = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
default = ../../keys/ssh_user_ca.pub;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = {
|
config = {
|
||||||
services.openssh = {
|
services.openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
# require public key authentication for better security
|
# require public key authentication for better security
|
||||||
settings.PasswordAuthentication = false;
|
settings = lib.mkMerge [
|
||||||
settings.KbdInteractiveAuthentication = false;
|
{
|
||||||
|
PasswordAuthentication = false;
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
}
|
||||||
|
(lib.mkIf cfg.certificates.enable {
|
||||||
|
TrustedUserCAKeys = "/etc/ssh/ssh_user_ca.pub";
|
||||||
|
HostKey = "/etc/ssh/ssh_host_ed25519_key";
|
||||||
|
HostCertificate = "/etc/ssh/ssh_host_ed25519_key-cert.pub";
|
||||||
|
})
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
programs.ssh.knownHosts = lib.mkIf config.ssh.certificates {
|
environment.etc."ssh/ssh_user_ca.pub" = lib.mkIf cfg.certificates.enable {
|
||||||
|
source = cfg.certificates.userCA;
|
||||||
|
};
|
||||||
|
|
||||||
|
programs.ssh.knownHosts = lib.mkIf cfg.certificates.enable {
|
||||||
"192.168.1.*" = {
|
"192.168.1.*" = {
|
||||||
certAuthority = true;
|
certAuthority = true;
|
||||||
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
|
publicKey = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNug18oLH0vZxnibXJzMJvTWFPZTnSlhCDDVi+rHhgnIum6ZXQ4SF+VHOOAM5BbzZmMKitNJ5lcrGP15Eur7DzQ=";
|
||||||
|
|||||||
Reference in New Issue
Block a user