I wish to create a SSH key pair and store the private SSH key in a USB. My main goal is to only be able to carry out root commands with the USB plugged in. How may I do that? Thanks
Same as with any Linux distro.
ssh-keygen -o -a 200 -t ed25519 -f mynix -N '' -C ''
mynix file will go to the USB drive and content of mynix.pub to ~/.ssh/authorized_keys.
@rudolf that’s if you want to use the key for ssh access, but @uzi is talking about sudo access, so more like a Yubikey.
Though the command is correct, what to do with the mynix.pub file differs.
I don’t know if this is a thing that people do on Linux regularly, but I guess you could create a regular user that isn’t part of the wheel group, and another one that can only log in with the ssh key:
users.users.regularUser = {
isNormalUser = true;
extraGroups = [ ]; # No 'wheel', no ‘sudo’ for the user.
packages = with pkgs; [ ]; # Add your packages here
};
users.users.privilegedUser = {
isSystemUser = true;
createHome = false;
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
hashedPassword = ""; # Disable password-based login for this user
openssh.authorizedKeys.keys = [
# Replace this key with the content of `mynix.pub`
"ssh-ed25519 AAAAC3NzaC1lZDI1PTE5AAAAIL0TI3HN6e20Av12ui7DUCXSa4FBjcWBs4fF5R1ODc9+ regularUser@localhost"
];
packages = with pkgs; [ ]; # I assume this can be removed, but not sure
};
Then you’d need to create an alias for sudo for your local user that logs in with ssh locally using the key from the USB drive, probably something like
KEY_DRIVE=/mnt/key-drive
alias sudo=ssh -i $KEY_DRIVE/mynix priviledgedUser@localhost sudo
You’d also have to ensure the drive gets auto-mounted at /mnt/key-drive on every time it’s plugged in, probably with the fileSystems option.
I don’t know off the top of my head how to integrate these two things in your configuration.nix, but this should be enough to get you started.
The issue with using a key on a USB stick is that it is easily copied. Maybe you want that, I don’t know, but normally a problem like this is solved with a Yubikey. There are some pointers to setting one up in the NixOS Wiki.
1 Like
I haven’t tested this in practice, maybe some day I’ll get to it or my notes might serve as inspiration to somebody else to figure it out 
I used yubikey/ security key (SK) interchangibly - referring to U2F/ FIDO.
From reading, with the combo of
- pam_rssh GitHub - z4yx/pam_rssh: Remote sudo authenticated via ssh-agent
- yubikey-agent GitHub - FiloSottile/yubikey-agent: yubikey-agent is a seamless ssh-agent for YubiKeys.
One should be able to SSH into a machine and forward the sudo auth request to the security key of the SSH client machine
This blog-post also describes how to replace the password auth with a yubikey touch if a key is present, with fallback to password enabled. Something I personally consider mandatory behaviour in case my SK fails or gets lost
Thanks man for the information. I will try the above out on my free time. So to confirm, you have not tried this practically on your end right? @don.dfh
Affirmative - I haven’t tried this at home
It sounds feasible since both projects implement communication over the ssh-agent protocol, but as always the devil is in the details…
1 Like