Re: [Nix-dev] [PATCH] authorized_keys in users.extraUsers

Wed, 16 Nov 2011 15:24:24 -0800

After a lot of help from Nicolas, I have a new version of my patch ready. You can now do this: 

  users.extraUsers = {
    myuser = {
      description = "my user";
      group = "mygroup";
      home = "/home/myuser";
      createHome = true;
      useDefaultShell = true;
      openssh.authorizedKeys = {
        preserveExistingKeys = false;
        keyFiles = [
          "/etc/secrets/someotheruser.id_dsa.pub"
        ];
      };
    };
  };
As you can see, users.extraUsers has been turned into an attribute set instead of a list, and the user name is by default extracted from the attribute name. You can of course still define users.extraUsers as a list.
The authorized_keys file generation is done by the sshd upstart job, so you can make sure all key files are correct by restarting sshd. Please tell me if you think this is a good idea, or if the file generation should be put into its own job, or put back into the activation script.
I have also added a users.extraUsers.<name?>.createUser option (default true), which tells the activation script if it should create the user as a local user or leave it alone. This is useful if you have LDAP users for which you want to use the .openssh.authorizedKeys feature, but don't want NixOS to add them to /etc/passwd. 

Best regards,
  Rickard Nilsson


Den 2011-10-16 21:28:54 skrev Rickard Nilsson <rickard.nils...@telia.com>:


Hi,

I've written a patch to users-groups.nix that allows me to specify the
contents of a users ~/.ssh/authorized_keys file like this:


   users.extraUsers = [
     { name = "myuser";
       description = "";
       group = "users";
       home = "/home/myuser";
       createHome = true;
       useDefaultShell = true;
       authorizedKeyFiles = [
         "/etc/secrets/someotheruser.id_dsa.pub"
       ];
     }
   ];


I can also specify keys directly with the authorizedKeys attribute,
instead of referring files. If there are existing keys in authorized_keys
they will be left alone.
Is this something that others find useful? Does it make sense to put it in 
users.extraUsers, or is it too messy? Maybe there is a place for a more
general home.<username>.authorizedKeys configuration? What do you think?


Best regards,
   Rickard Nilsson

Attachment: authorized_keys.patch
Description: Binary data

_______________________________________________
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Reply via email to