[Nix-dev] [PATCH] authorized_keys in users.extraUsers
Rickard Nilsson
rickard.nilsson at telia.com
Thu Nov 17 00:24:14 CET 2011
After a lot of help from Nicolas, I have a new version of my patch ready.
You can now do this:
users.extraUsers = {
myuser = {
description = "my user";
group = "mygroup";
home = "/home/myuser";
createHome = true;
useDefaultShell = true;
openssh.authorizedKeys = {
preserveExistingKeys = false;
keyFiles = [
"/etc/secrets/someotheruser.id_dsa.pub"
];
};
};
};
As you can see, users.extraUsers has been turned into an attribute set
instead of a list, and the user name is by default extracted from the
attribute name. You can of course still define users.extraUsers as a list.
The authorized_keys file generation is done by the sshd upstart job, so
you can make sure all key files are correct by restarting sshd. Please
tell me if you think this is a good idea, or if the file generation should
be put into its own job, or put back into the activation script.
I have also added a users.extraUsers.<name?>.createUser option (default
true), which tells the activation script if it should create the user as a
local user or leave it alone. This is useful if you have LDAP users for
which you want to use the .openssh.authorizedKeys feature, but don't want
NixOS to add them to /etc/passwd.
Best regards,
Rickard Nilsson
Den 2011-10-16 21:28:54 skrev Rickard Nilsson <rickard.nilsson at telia.com>:
> Hi,
>
> I've written a patch to users-groups.nix that allows me to specify the
> contents of a users ~/.ssh/authorized_keys file like this:
>
>
> users.extraUsers = [
> { name = "myuser";
> description = "";
> group = "users";
> home = "/home/myuser";
> createHome = true;
> useDefaultShell = true;
> authorizedKeyFiles = [
> "/etc/secrets/someotheruser.id_dsa.pub"
> ];
> }
> ];
>
>
> I can also specify keys directly with the authorizedKeys attribute,
> instead of referring files. If there are existing keys in authorized_keys
> they will be left alone.
>
> Is this something that others find useful? Does it make sense to put it
> in
> users.extraUsers, or is it too messy? Maybe there is a place for a more
> general home.<username>.authorizedKeys configuration? What do you think?
>
>
> Best regards,
> Rickard Nilsson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authorized_keys.patch
Type: application/octet-stream
Size: 11381 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20111117/9e93746c/attachment.obj
More information about the nix-dev
mailing list