Nixos-rebuild remote deployments non root pam

Help
21

Banged my head against this for quite a while. For this to work, you need to ensure that you:

  • foward an ssh agent (-A or -o ForwardAgent=yes)…
  • …which has your keys added to it (run ssh-add once before, or use -o AddKeysToAgent=yes):

(EDIT: Or put the equivalent in ~/.ssh/config as mentined above)

{
  security = {
    # Allow passwordless sudo when connecting via ssh (we already auth'd via public key, that's enough)
    # see https://discourse.nixos.org/t/nixos-rebuild-remote-deployments-non-root-pam/50477/19?u=nobodyinperson
    # (rssh instead of sshAgentAuth, which apparently does not support ed25519 keys)
    # When connecting via ssh, make sure to:
    # • use options `-A` or `-o ForwardAgent=yes`
    # • Add your ssh key to your local agent before connecting, e.g.
    #   • manually:      ssh-add;ssh -o ForwardAgent=yes ...
    #   • automatically: ssh -o ForwardAgent=yes -o AddKeysToAgent=yes ...
    pam.rssh.enable = true;
    pam.rssh.settings.auth_key_file = "/etc/ssh/authorized_keys.d/$ruser";
    pam.services.sudo.rssh = true;
  };
}
22

For the record, you can use the match blocks in ~/.ssh/config to make that permanent. home-manager has options for this. This is what I use:

Host <hostname>
  ForwardAgent yes
  IdentityFile ~/.ssh/tlater.pub

I’m also fairly sure you don’t need AddKeysToAgent.

23

Of course, this has been mentioned several times in all these topics here :slightly_smiling_face:

I tried it, and for me it is necessary. Maybe in some funny setups ssh auto-adds the keys to the agent, I don’t know, for me it doesn’t and I need this option at least once or run ssh-add manually. I also want this to work in scripts, independent of the host setup, so knowing what exact flags are really necessary is important for me.