From 2606f1a1c6bba2e9c75820243c0ba00c78b3085e Mon Sep 17 00:00:00 2001 From: Alexander Heldt Date: Wed, 3 Jun 2026 12:57:27 +0200 Subject: [PATCH] tadpole: Scope `authorized_keys_command` to `alex` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The command was hijacking auth for all users, including `gitea`, which broke `git push` over SSH — `gitea`'s `authorized_keys` (with the `gitea serv` command restriction) was being bypassed, and sshd would try to exec the raw `git-receive-pack` instead. Pass `%u` to the command and short-circuit unless the requested user is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`. --- hosts/tadpole/modules/ssh/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/tadpole/modules/ssh/default.nix b/hosts/tadpole/modules/ssh/default.nix index 55d5d37..dbaba29 100644 --- a/hosts/tadpole/modules/ssh/default.nix +++ b/hosts/tadpole/modules/ssh/default.nix @@ -48,6 +48,7 @@ in mode = "0755"; text = '' #!${pkgs.bash}/bin/bash + [ "$1" = "alex" ] || exit 0 for file in ${authorizedKeysPath}/*; do ${pkgs.coreutils}/bin/cat "$file" done @@ -71,7 +72,7 @@ in KbdInteractiveAuthentication = false; }; - authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; + authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u"; authorizedKeysCommandUser = "root"; }; };