Nix remote builders with yubikey-agent

supermarin · February 11, 2023, 3:23pm

Is there a way to use nix remote builds with a Yubikey (using yubikey-agent)?

I’m trying to avoid maintaining a separate passwordless ssh key and would like to use the yubikey for auth. SSH-ing into the machine works without any interaction, but nix build fails to authenticate.

warning: Git tree '.../nixpkgs' is dirty
cannot build on 'ssh://marin@xx.local': error: cannot connect to 'marin@xx.local': Permission denied, please try again.
Permission denied, please try again.
Received disconnect from fd1d:xxxx:xxxx::xxx port 22:2: Too many authentication failures
Disconnected from fd1d:xxxx:xxxx::xxx port 22

$ ssh marin@xx.local
no-rc enabled
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
marin@xx ~>

ElvishJerricco · February 11, 2023, 3:27pm

It needs to be configured so that the nix-daemon process can do it, which runs as root.

supermarin · February 25, 2023, 1:55pm

Thanks for the response and sorry for the delay. I played with it a bit but didn’t get a working solution. Any chance you could post a sample config?

Passing --build-host on the command line works for nixos-rebuild in combination with --use-remote-sudo, so what you’re saying makes sense. yubikey-agent in nixpkgs is run as a user service and looks like root can’t access it.