Setting up ssh keys for sudo access

I wish to create a SSH key pair and store the private SSH key in a USB. My main goal is to only be able to carry out root commands with the USB plugged in. How may I do that? Thanks

Same as with any Linux distro.

ssh-keygen -o -a 200 -t ed25519 -f mynix -N '' -C ''

mynix file will go to the USB drive and content of to ~/.ssh/authorized_keys.

@rudolf that’s if you want to use the key for ssh access, but @uzi is talking about sudo access, so more like a Yubikey.

Though the command is correct, what to do with the file differs.

I don’t know if this is a thing that people do on Linux regularly, but I guess you could create a regular user that isn’t part of the wheel group, and another one that can only log in with the ssh key:

  users.users.regularUser = {
    isNormalUser = true;
    extraGroups = [ ]; # No 'wheel', no ‘sudo’ for the user.
    packages = with pkgs; [ ]; # Add your packages here

  users.users.privilegedUser = {
    isSystemUser = true;
    createHome = false;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    hashedPassword = ""; # Disable password-based login for this user
    openssh.authorizedKeys.keys = [
      # Replace this key with the content of ``
      "ssh-ed25519 AAAAC3NzaC1lZDI1PTE5AAAAIL0TI3HN6e20Av12ui7DUCXSa4FBjcWBs4fF5R1ODc9+ regularUser@localhost"
    packages = with pkgs; [ ]; # I assume this can be removed, but not sure

Then you’d need to create an alias for sudo for your local user that logs in with ssh locally using the key from the USB drive, probably something like

alias sudo=ssh -i $KEY_DRIVE/mynix priviledgedUser@localhost sudo

You’d also have to ensure the drive gets auto-mounted at /mnt/key-drive on every time it’s plugged in, probably with the fileSystems option.

I don’t know off the top of my head how to integrate these two things in your configuration.nix, but this should be enough to get you started.

The issue with using a key on a USB stick is that it is easily copied. Maybe you want that, I don’t know, but normally a problem like this is solved with a Yubikey. There are some pointers to setting one up in the NixOS Wiki.

1 Like

@iFreilicht @rudolf Thank you both for your replies. I will experiment with these.

I haven’t tested this in practice, maybe some day I’ll get to it or my notes might serve as inspiration to somebody else to figure it out :wink:

I used yubikey/ security key (SK) interchangibly - referring to U2F/ FIDO.

From reading, with the combo of

One should be able to SSH into a machine and forward the sudo auth request to the security key of the SSH client machine

This blog-post also describes how to replace the password auth with a yubikey touch if a key is present, with fallback to password enabled. Something I personally consider mandatory behaviour in case my SK fails or gets lost

Thanks man for the information. I will try the above out on my free time. So to confirm, you have not tried this practically on your end right? @don.dfh

Affirmative - I haven’t tried this at home :wink:

It sounds feasible since both projects implement communication over the ssh-agent protocol, but as always the devil is in the details…

1 Like