alex/nixos-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tadpole: Scope authorized_keys_command to alex

Browse Source 
The command was hijacking auth for all users, including `gitea`, which
broke `git push` over SSH — `gitea`'s `authorized_keys` (with the
`gitea serv` command restriction) was being bypassed, and sshd would
try to exec the raw `git-receive-pack` instead.

Pass `%u` to the command and short-circuit unless the requested user
is `alex`, so other users fall back to their own `~/.ssh/authorized_keys`.
This commit is contained in:
Alexander Heldt
2026-06-03 12:57:27 +02:00
parent 331a86deb0
commit 2606f1a1c6
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/tadpole/modules/ssh/default.nix
+2 -1
View File
@@ -48,6 +48,7 @@ in
mode = "0755"; mode = "0755";
text = '' text = ''
#!${pkgs.bash}/bin/bash #!${pkgs.bash}/bin/bash
[ "$1" = "alex" ] || exit 0
for file in ${authorizedKeysPath}/*; do for file in ${authorizedKeysPath}/*; do
${pkgs.coreutils}/bin/cat "$file" ${pkgs.coreutils}/bin/cat "$file"
done done
@@ -71,7 +72,7 @@ in
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
}; };
authorizedKeysCommand = "/etc/ssh/authorized_keys_command"; authorizedKeysCommand = "/etc/ssh/authorized_keys_command %u";
authorizedKeysCommandUser = "root"; authorizedKeysCommandUser = "root";
}; };
}; };