[Nix-dev] [PATCH] authorized_keys in users.extraUsers

Rickard Nilsson rickard.nilsson at telia.com
Thu Nov 17 00:24:14 CET 2011 

After a lot of help from Nicolas, I have a new version of my patch ready.  
You can now do this:

   users.extraUsers = {
     myuser = {
       description = "my user";
       group = "mygroup";
       home = "/home/myuser";
       createHome = true;
       useDefaultShell = true;
       openssh.authorizedKeys = {
         preserveExistingKeys = false;
         keyFiles = [
           "/etc/secrets/someotheruser.id_dsa.pub"
         ];
       };
     };
   };

As you can see, users.extraUsers has been turned into an attribute set  
instead of a list, and the user name is by default extracted from the  
attribute name. You can of course still define users.extraUsers as a list.

The authorized_keys file generation is done by the sshd upstart job, so  
you can make sure all key files are correct by restarting sshd. Please  
tell me if you think this is a good idea, or if the file generation should  
be put into its own job, or put back into the activation script.

I have also added a users.extraUsers.<name?>.createUser option (default  
true), which tells the activation script if it should create the user as a  
local user or leave it alone. This is useful if you have LDAP users for  
which you want to use the .openssh.authorizedKeys feature, but don't want  
NixOS to add them to /etc/passwd.

Best regards,
   Rickard Nilsson


Den 2011-10-16 21:28:54 skrev Rickard Nilsson <rickard.nilsson at telia.com>:

> Hi,
>
> I've written a patch to users-groups.nix that allows me to specify the
> contents of a users ~/.ssh/authorized_keys file like this:
>
>
>    users.extraUsers = [
>      { name = "myuser";
>        description = "";
>        group = "users";
>        home = "/home/myuser";
>        createHome = true;
>        useDefaultShell = true;
>        authorizedKeyFiles = [
>          "/etc/secrets/someotheruser.id_dsa.pub"
>        ];
>      }
>    ];
>
>
> I can also specify keys directly with the authorizedKeys attribute,
> instead of referring files. If there are existing keys in authorized_keys
> they will be left alone.
>
> Is this something that others find useful? Does it make sense to put it  
> in
> users.extraUsers, or is it too messy? Maybe there is a place for a more
> general home.<username>.authorizedKeys configuration? What do you think?
>
>
> Best regards,
>    Rickard Nilsson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: authorized_keys.patch
Type: application/octet-stream
Size: 11381 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20111117/9e93746c/attachment.obj

More information about the nix-dev mailing list