How to setup user ssh keys

asbachb · February 4, 2020, 2:09am

I’m a little bit puzzled: I cannot find resources howto setup user ssh keys declarative in NixOS.

Looking forward for any suggestions.

ryantm · February 4, 2020, 3:42am

Could you be more specific about what you are trying to set up? SSH keys are a big topic.

asbachb · February 4, 2020, 8:36am

Sure. Basically I want to add the ssh keypair for a specific user (/home/user/.ssh/id_rsa and /home/user/.ssh/id_rsa.pub).

SRGOM · February 4, 2020, 8:51am

Where would this come from? Would you want nixos config to “copy” from the source to to home dir?

NixOS isn’t particularly good at managing home dirs. This would be a manual step. I would just use regular dotfile+stow approach.

Some may recommend home manager- I am not a fan, except for managing perhaps user services.

here’s my criticism of hm where I call hm a nix-lover’s hammer. nixos/onedrive: init by SRGOM · Pull Request #77734 · NixOS/nixpkgs · GitHub and a cause of needless confusion.

aanderse · February 4, 2020, 11:38am

NixOS doesn’t manage secrets. Your SSH key is a secret. You should not try to use NixOS to manage this key.

tokudan · February 4, 2020, 11:45am

If you’re talking about adding keys to the authorized_keys file, then have a look at these options:
https://nixos.org/nixos/options.html#users.users.<name%3F>.openssh.authorizedkeys

Generating keys with nix and managing the secret part of the key with nix is a very bad idea, as it would be world-readable in the nix store. The best you could do is use nixops for that or declare a service that generates those keys on service start, something like this for example (this is not an ssh key, but it generates a secret):

github.com

freifunkhamburg/mail2-nixos-config/blob/683289bf9e353cd02ecdc4ad829a156f2fbaf897/roundcube.nix#L94


      
                fastcgi_param   SERVER_NAME             $server_name;
          
          
      fastcgi_param   HTTPS                   $https;
                fastcgi_param   HTTP_PROXY              "";
              '';
            };
          };
          systemd.services.roundcube-install = {
            serviceConfig.Type = "oneshot";
            wantedBy = [ "multi-user.target" ];
            script = ''
              mkdir -p ${config.variables.roundcubeDataDir}/temp ${config.variables.roundcubeDataDir}/logs
              chown -Rc ${config.variables.roundcubeUser}:${config.variables.roundcubeGroup} ${config.variables.roundcubeDataDir}
              chmod -c 700 ${config.variables.roundcubeDataDir}
              # Regenerate the key every now and then. This invalidates all sessions, but during reboot should be good enough.
              [ -f "${config.variables.roundcubeDataDir}/des_key" ] && ${pkgs.coreutils}/bin/shred "${config.variables.roundcubeDataDir}/des_key"
              ${pkgs.coreutils}/bin/dd if=/dev/urandom bs=32 count=1 2>/dev/null | ${pkgs.coreutils}/bin/base64 > "${config.variables.roundcubeDataDir}/des_key"
              chown -c "${config.variables.roundcubeUser}":${config.variables.roundcubeGroup} "${config.variables.roundcubeDataDir}/des_key"
              chmod -c 400 "${config.variables.roundcubeDataDir}/des_key"
              if [ -s "${config.variables.roundcubeDataDir}/roundcube.sqlite" ]; then
                # Just go ahead and remove the sessions, the key to decrypt them has just been destroyed anyway.

asbachb · February 5, 2020, 10:26am

Thanks for all your replies.

@SRGOM

Where would this come from? Would you want nixos config to “copy” from the source to to home dir?

Basically the key already exists. The idea was to have something in my configuration.nix which takes care of copying ssh keys to my home directory.

@aanderse

NixOS doesn’t manage secrets. Your SSH key is a secret. You should not try to use NixOS to manage this key.

Mhhh. I see so basically the recommendation would to handle this kind of stuff manually?

@tokudan

If you’re talking about adding keys to the authorized_keys file

Nah I’m talking about the public/private key of a user. Basically nixops might be an option since I’m running NixOS currently only on a raspberry pi. But I wanted to get a little more into to replace my Archlinux installation.
I guess I understand the basic problem that when managing such kind of things would be readable in nix store.

aanderse · February 5, 2020, 11:17am

You are correct. The unfortunate situation is that you should either manually manage your secrets on NixOS, or use some other solution.

mjlbach · February 14, 2020, 5:07pm

@aanderse Is there a good overview of best practices regarding storing passwords/private keys/api keys in external files and importing them via nix? I’ve heard of people using a secrets.nix, or git crypt… Things like weechat/slack api key for example.

aanderse · February 14, 2020, 6:44pm

There are some people working on a standardized approach that NixOS can endorse, but nothing has really settled yet. I’m sure some people here can give some good suggestions.

toraritte · July 20, 2021, 11:18am

Do you happen to have a post regarding this setup (or would you recommend one)?

TLATER · July 20, 2021, 2:02pm

There’s a nice overview of techniques here: Comparison of different key/secret managing schemes - #22 by ctem

Ultimately you will always need to manage at least one key manually, though the overhead can be controlled.