Help configuring openssh on nixos

Help
1

So im trying to configure ssh to create a host configuration, i have the following module:

{ lib, config, ... }:
{
  options.modules.security.openssh.enable = 
    lib.mkEnableOption "enable openssh module";
  config = lib.mkIf config.modules.security.openssh.enable {
    services.openssh = {
      enable = true;
      startWhenNeeded = false; # systemd will start an instance for each incoming connection
      settings.PermitRootLogin = "no";
      settings.PasswordAuthentication = false; # require public key authentication
      hostKeys = [
        {
          comment = "${config.networking.hostName}.local";
          path = "/etc/ssh/ssh_host_ed25519_key";
          rounds = 64;
          type = "ed25519";
        }
      ];
    };
  };
}

im trying to do 2 things:

  • be able to use this key as verification to login on github for example a good test would be ssh -T git@github.com
  • on the host ssh creation also convert to a age key using ssh-to-age to be able to use on sops
2

That config creates an ssh server, not an ssh configuration for your user. You won’t be able to log into github with that key.

With purely NixOS options, programs.ssh exists, but it would set full-host configuration, which is almost certainly not what you want for an ssh configuration you’re going to be logging into github with.

Use home-manager, or configure ssh by hand.

In either case, you should create a key at runtime and treat it as data; keys are inherently not the type of thing you want to be reproducible, that’s kind of defeating the purpose of a key.

If you want your keys to be associated with a specific device (i.e., one key for every host you use), and you really don’t want to create it by hand, write a systemd user unit that creates the key if it does not exist and make it WantedBy=default.target. For entropy and key consistency’s sake I’d recommend running ssh-keygen by hand, though, you’ll need to manually add any generated keys to your github profile anyway.

1 Like
3

i see, i tough that since i can use ssh key to authenticate a host that key should be the one used.
with this i was going to move the key that i normally use to the host key created. better leave at it is them, and have two separated keys for this.

4

Yes, definitely don’t share your host’s SSH key with your user. It’s good practice to reuse keys as little as reasonable anyway.

You might want to read a bit into how asymmetric key encryption works, and how SSH uses it. It’s a tool people involved with the software world use all the time, having a good understanding of its security model and what it even does is quite important.

1 Like