Jan/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updated SSH to use GSSAPI

Browse Source
This commit is contained in:
Jan-Bulthuis 2025-06-11 14:13:25 +02:00
parent af9f7e0ee0
commit d8327c3edf
1 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/nixos/domain.nix
View File

@ -40,6 +40,8 @@ in
systemd.services.adcli-join = { systemd.services.adcli-join = {
description = "Automatically join the domain"; description = "Automatically join the domain";
wantedBy = [ "default.target" ]; wantedBy = [ "default.target" ];
before = [ "sssd.service" ];
requiredBy = [ "sssd.service" ];
after = [ after = [
"network-online.target" "network-online.target"
]; ];
@ -84,7 +86,7 @@ in
[sssd] [sssd]
domains = ${domain} domains = ${domain}
config_file_version = 2 config_file_version = 2
services = nss, pam, ssh services = nss, pam
[nss] [nss]
filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)} filter_users = ${concatStringsSep "," (lib.attrNames config.users.users)}
@ -107,21 +109,16 @@ in
dyndns_update_ptr = False dyndns_update_ptr = False
dyndns_refresh_interval = 86400 dyndns_refresh_interval = 86400
dyndns_ttl = 3600 dyndns_ttl = 3600
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
''; '';
}; };
systemd.services.sssd = {
after = [ "adcli-join.service" ];
requires = [ "adcli-join.service" ];
};
security.pam.services.login.sssdStrictAccess = true; security.pam.services.login.sssdStrictAccess = true;
security.pam.services.sshd.sssdStrictAccess = true; security.pam.services.sshd.sssdStrictAccess = true;
security.pam.services.su.sssdStrictAccess = true;
# Set up Sudo # Set up Sudo
security.sudo = security.sudo =
let let
admin_group = (lib.replaceStrings [ "-" ] [ "_" ] config.networking.hostName) + "_admin"; admin_group = "host_${lib.replaceStrings [ "-" ] [ "_" ] config.networking.hostName}_admin";
in in
{ {
extraConfig = '' extraConfig = ''
@ -129,6 +126,13 @@ in
''; '';
}; };
# Set up SSH
services.openssh.settings = {
GSSAPIAuthentication = true;
GSSAPICleanupCredentials = true;
GSSAPIStrictAcceptorCheck = true;
};
# Set up home directory # Set up home directory
security.pam.services.login.makeHomeDir = true; security.pam.services.login.makeHomeDir = true;
security.pam.services.sshd.makeHomeDir = true; security.pam.services.sshd.makeHomeDir = true;
@ -181,8 +185,10 @@ in
if id | egrep -o 'groups=.*' | sed 's/,/\n/g' | cut -d'(' -f2 | sed 's/)//' | egrep -o "^domain users$"; then if id | egrep -o 'groups=.*' | sed 's/,/\n/g' | cut -d'(' -f2 | sed 's/)//' | egrep -o "^domain users$"; then
echo "Setting up environment for domain user" echo "Setting up environment for domain user"
SKIP_SANITY_CHECKS=1 ${homeConfiguration.activationPackage}/activate SKIP_SANITY_CHECKS=1 ${homeConfiguration.activationPackage}/activate
if test -f "$HOME/.bashrc"; then
. $HOME/.bashrc . $HOME/.bashrc
fi fi
fi
''; '';
# Automatically mount home share # Automatically mount home share