[Nix-dev] [PATCH] authorized_keys in users.extraUsers

Nicolas Pierron nicolas.b.pierron at gmail.com
Fri Nov 25 18:27:23 CET 2011 

Hi,

If nobody complain, I'll merge this modifications in the next days.

On Thu, Nov 17, 2011 at 00:24, Rickard Nilsson
<rickard.nilsson at telia.com> wrote:
> After a lot of help from Nicolas, I have a new version of my patch ready.
> You can now do this:
>
>  users.extraUsers = {
>    myuser = {
>      description = "my user";
>      group = "mygroup";
>      home = "/home/myuser";
>      createHome = true;
>      useDefaultShell = true;
>      openssh.authorizedKeys = {
>        preserveExistingKeys = false;
>        keyFiles = [
>          "/etc/secrets/someotheruser.id_dsa.pub"
>        ];
>      };
>    };
>  };
>
> As you can see, users.extraUsers has been turned into an attribute set
> instead of a list, and the user name is by default extracted from the
> attribute name. You can of course still define users.extraUsers as a list.
>
> The authorized_keys file generation is done by the sshd upstart job, so you
> can make sure all key files are correct by restarting sshd. Please tell me
> if you think this is a good idea, or if the file generation should be put
> into its own job, or put back into the activation script.
>
> I have also added a users.extraUsers.<name?>.createUser option (default
> true), which tells the activation script if it should create the user as a
> local user or leave it alone. This is useful if you have LDAP users for
> which you want to use the .openssh.authorizedKeys feature, but don't want
> NixOS to add them to /etc/passwd.
>
> Best regards,
>  Rickard Nilsson
>
>
> Den 2011-10-16 21:28:54 skrev Rickard Nilsson <rickard.nilsson at telia.com>:
>
>> Hi,
>>
>> I've written a patch to users-groups.nix that allows me to specify the
>> contents of a users ~/.ssh/authorized_keys file like this:
>>
>>
>>   users.extraUsers = [
>>     { name = "myuser";
>>       description = "";
>>       group = "users";
>>       home = "/home/myuser";
>>       createHome = true;
>>       useDefaultShell = true;
>>       authorizedKeyFiles = [
>>         "/etc/secrets/someotheruser.id_dsa.pub"
>>       ];
>>     }
>>   ];
>>
>>
>> I can also specify keys directly with the authorizedKeys attribute,
>> instead of referring files. If there are existing keys in authorized_keys
>> they will be left alone.
>>
>> Is this something that others find useful? Does it make sense to put it in
>> users.extraUsers, or is it too messy? Maybe there is a place for a more
>> general home.<username>.authorizedKeys configuration? What do you think?
>>
>>
>> Best regards,
>>   Rickard Nilsson



-- 
Nicolas Pierron
http://www.linkedin.com/in/nicolasbpierron - http://nbp.name/

More information about the nix-dev mailing list