privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

cluster/services/idm: enable sudo auth with pam_rssh

Browse source
This commit is contained in:
Max Headroom 2023-12-06 01:01:09 +01:00
parent 42e2fb5af6
commit 400664edf8
1 changed files with 18 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
cluster/services/idm/client.nix
View file

@ -38,6 +38,24 @@ in
authorizedKeysCommandUser = "nobody"; authorizedKeysCommandUser = "nobody";
}; };
security = {
pam.services.sudo = { config, ... }: {
rules.auth.rssh = {
order = config.rules.auth.unix.order - 10;
control = "sufficient";
modulePath = "${pkgs.pam_rssh}/lib/libpam_rssh.so";
settings = {
authorized_keys_command = "/etc/ssh/authorized_keys_command_kanidm";
authorized_keys_command_user = "nobody";
};
};
};
sudo.extraConfig = ''
Defaults env_keep+=SSH_AUTH_SOCK
'';
};
environment.systemPackages = let environment.systemPackages = let
idmAlias = pkgs.runCommand "kanidm-idm-alias" {} '' idmAlias = pkgs.runCommand "kanidm-idm-alias" {} ''
mkdir -p $out/bin mkdir -p $out/bin