New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sshd: AuthorizedKeysCommand permissions problem #94653
Comments
See
|
@hiberno does my comment help at all? |
@aanderse I completely forgot to reply. That was rude, I am sorry about that. Yes, in a way your reply helped. We implemented a similar workaround now. But it still is a workaround in a way, since we needed to place a executable shell wrapper into It might make sense to update the documentation of the option |
I'm glad that helped. Great idea. Are you able to draft up a simple PR to help out? I'm stretched a bit thin at the moment and would really appreciate the assist. |
I marked this as stale due to inactivity. → More info |
Still important. While the workaround works, it would be nice to incorporate it into nixpkgs directly. |
im not sure what you mean by that? You need to provide a command to this option and make sure that the command isn't a symlink. The only addition at this point would be to point this out in documentation. What were you thinking? |
Describe the bug
I tried to use an
AuthorizedKeysCommand
in the configuration of theSSHd
to obtain the public key of a user that tries to login from a LDAP server.This does not work, though, because
SSHd
has fairly strict requirements with regard to the permissions of the executable that is theAuthorizedKeysCommand
. Those lead to the following error:ldap-sshkey
is in this case a custom package containing a shellscript that usesldapsearch
to obtain the SSH keys from the ldap server. (When called manually, I can confirm that the script works as intended.)The permissions are as follows:
Those should be okay. The problem is, however, that
SSHd
checks the whole path. And/nix/store
itself has the following permissions:Those are alas not okay. Hence the error message above.
I am not sure how to enable
AuthorizedKeysCommand
without some tricky workaround. The way I did it now (install a package assystemPackage
and reference it in theSSHd
configuration looks clean and correct to me, but does not work.This does not work when using
services.openssh.extraConfig
to add theAuthorizedKeysCommand
configuration, nor does it work when using the optionservices.openssh.authorizedKeysCommand
introduced with #82413.To Reproduce
Steps to reproduce the behavior:
services.openssh.authorizedKeysCommand
Expected behavior
A clear and concise description of what you expected to happen.
I would expect the
SSHd
to use the givenauthorizedKeysCommand
to obtain the public SSH key for that particular user and grant access based on that.Notify maintainers
@aanderse
Metadata
The text was updated successfully, but these errors were encountered: