post(ssh-cert): nixos should use AuthorizedPrincipalsFile

This commit is contained in:
Ming Di Leom 2023-02-21 07:00:41 +00:00
parent 7b19b136c7
commit 94da2a438e
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 29 additions and 2 deletions

View File

@ -2,7 +2,7 @@
title: SSH certificate using Cloudflare Tunnel title: SSH certificate using Cloudflare Tunnel
excerpt: A quick quide to SSH certificate without using an identity provider. excerpt: A quick quide to SSH certificate without using an identity provider.
date: 2023-02-13 date: 2023-02-13
updated: 2023-02-18 updated: 2023-02-21
tags: tags:
- cloudflare - cloudflare
--- ---
@ -143,6 +143,33 @@ Match user lipsum
AuthorizedPrincipalsCommandUser nobody AuthorizedPrincipalsCommandUser nobody
``` ```
### AuthorizedPrincipalsFile
For NixOS user, `AuthorizedPrincipalsCommand` will not work because the command will run within "/nix/store" but it is read-only. Instead, you should use `AuthorizedPrincipalsFile`. This config also enables you to match multiple emails to a username, just separate each email user by newline. This applies to all OpenSSH instances, not just NixOS.
`echo 'loremipsum' | sudo tee /etc/ssh/authorized_principals`
````nix /etc/nixos/configuration.nix
services.openssh = {
enable = true;
permitRootLogin = "no";
passwordAuthentication = false;
# ports = [ 1234 ];
extraConfig =
''
TrustedUserCAKeys /etc/ssh/ca.pub
Match User lipsum
AuthorizedPrincipalsFile /etc/ssh/authorized_principals
# if there is no existing AuthenticationMethods
AuthenticationMethods publickey
'';
};
```
### Other use cases
https://developers.cloudflare.com/cloudflare-one/identity/users/short-lived-certificates/#2-ensure-unix-usernames-match-user-sso-identities
## Initiate SSH connection ## Initiate SSH connection
Install `cloudflared` on the host that you're going to SSH from. Install `cloudflared` on the host that you're going to SSH from.
@ -156,7 +183,7 @@ Match host test.yourdomain.com exec "/usr/local/bin/cloudflared access ssh-gen -
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.cloudflared/%h-cf_key IdentityFile ~/.cloudflared/%h-cf_key
CertificateFile ~/.cloudflared/%h-cf_key-cert.pub CertificateFile ~/.cloudflared/%h-cf_key-cert.pub
``` ````
or or