`services.openssh.authorizedKeysCommand` does not seem to take effect

samuela · November 22, 2023, 11:40am

I’m trying to use the services.openssh.authorizedKeysCommand config option, but my command is not being run by sshd.

I have the following in my /etc/nixos/configuration.nix

  services.openssh.settings.LogLevel = "DEBUG";
  services.openssh.settings.PasswordAuthentication = false;
  services.openssh.settings.PermitRootLogin = lib.mkForce "no";
  services.openssh.authorizedKeysCommand = ''/ssh-proxy/authorized_keys_command "%u" "%t" "%k"'';

and /ssh-proxy/authorized_keys_command is a Python script:

#! /usr/bin/env nix-shell
#! nix-shell -i python3 -p python3
with open("/tmp/hey", "w") as file:
    file.write("hey something happened!")
raise

which has the appropriate permissions:

[server] ❯ ls -al /ssh-proxy/authorized_keys_command
-rwxr-xr-x 1 root users 584 Nov 22 10:37 /ssh-proxy/authorized_keys_command

But when attempting to SSH in I’m finding that I’m getting rejected:

[client] ❯ ssh foobar@bitbop.io
foobar@bitbop.io: Permission denied (publickey,keyboard-interactive).

and the absence of /tmp/hey and logs from sudo journalctl -u sshd -f indicate that our authorized_keys_command has not been executed.

(I’ve put the sshd_config and output from sudo journalctl -u sshd -f in this gist.)

Why is authorized_keys_command not being executed as configured? Is this a bug?

samuela · November 22, 2023, 12:05pm

An interesting thing here is that logging in as a “regular” user with a declared public key works without issue. I would expect those ought to go through authorized_keys_command as well?

samuela · November 22, 2023, 6:26pm

There are a handful of things going wrong right now, and I haven’t pinpointed the exact issue yet but using /run/current-system/sw/bin/sshd -ddd -D -f /test_sshd_config to run one-off sshd sessions has increased debugging velocity.

One observation is that #! /usr/bin/env nix-shell does not seem to work with AuthorizedKeysCommand:

debug3: subprocess: AuthorizedKeysCommand command "/ssh-proxy/authorized_keys_command skainswo" running as skainswo (flags 0x6)
...
debug3: subprocess: AuthorizedKeysCommand pid 43090
...
/usr/bin/env: 'nix-shell': No such file or directory
debug2: auth_check_authkeys_file: /ssh-proxy/authorized_keys_command "%u": processed 0/0 lines
AuthorizedKeysCommand /ssh-proxy/authorized_keys_command skainswo failed, status 127

and neither does #! /usr/bin/env bash.

Anyone have any ideas how to get a working script shebang here?

aanderse · November 22, 2023, 6:52pm

you should probably just use something writeShellApplication then either use tmpfiles to copy/paste it into a directory you find acceptable, or environment.etc… and then you can avoid nasty nix-shell shebangs which might end up with you waiting a long time to ssh into your server on occasion

samuela · November 22, 2023, 6:54pm

Thansk @aanderse ! try that now… ooc why don’t #! /usr/bin/env * shebangs work here?

aanderse · November 22, 2023, 8:23pm

i don’t think /usr/bin/env is the problem - nix-shell is. you’ve made the assumption that nix-shell is available inside the sshd service, which it is not. presumably if you added the nix package to the systemd service, as well as the environment variables & configuration required for nix-shell to work (like NIX_PATH) then your script would work…

at this point you can probably see more than a few reasons why i suggested what i did

so did everything work out?

samuela · November 24, 2023, 9:07pm

Thanks @aanderse ! That makes sense

so did everything work out?

yes… in the sense that I ended up just writing a custom SSH server instead of messing with OpenSSH