From ea84edd52860a583f9ad79529980694f8ae6aa19 Mon Sep 17 00:00:00 2001 From: Peter Simons Date: Tue, 12 Jul 2011 10:34:27 +0000 Subject: [PATCH] modules/services/networking/ssh/sshd.nix: added new boolean options usePAM and passwordAuthentication Setting both of these options to 'false' configures the OpenSSH daemon to reject password authentication, i.e. users must have an appropriate key in ~/.ssh/authorized_keys in order to be able to log in. svn path=/nixos/trunk/; revision=27732 --- modules/services/networking/ssh/sshd.nix | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index 0533201e021..66f2f0961b2 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -76,7 +76,25 @@ in Specifies on which ports the SSH daemon listens. ''; }; - + + usePAM = mkOption { + default = true; + description = '' + Specifies whether the OpenSSH daemon uses PAM to authenticate + login attempts. + ''; + }; + + passwordAuthentication = mkOption { + default = true; + description = '' + Specifies whether password authentication is allowed. Note + that setting this value to false is most + probably not going to have the desired effect unless + usePAM is disabled as well. + ''; + }; + extraConfig = mkOption { default = ""; description = "Verbatim contents of sshd_config."; @@ -139,7 +157,7 @@ in '' Protocol 2 - UsePAM yes + UsePAM ${if cfg.usePAM then "yes" else "no"} ${concatMapStrings (port: '' Port ${toString port} @@ -158,6 +176,7 @@ in PermitRootLogin ${cfg.permitRootLogin} GatewayPorts ${cfg.gatewayPorts} + PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"} ''; };