SSH host based auth

flake.nix

@@ -69,6 +69,8 @@
       let
         pkgs = nixpkgs.legacyPackages.${system};
 
+        colmena = inputs.colmena.defaultPackage.${system};
+
         pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run {
           src = ./.;
           hooks = {

gathered/manager/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzkFbPeDhbSD7K+gJZ7peJYe36kyKKHsLnQWGTxJptq root@nixos

gathered/node-00/ssh_host_ed25519_key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos

machines.nix

@@ -5,6 +5,8 @@ let
     localSystem.system = "x86_64-linux";
   };
 
+  nrNodes = 1;
+
 in
 with deploymentPkgs.lib; let
 
@@ -31,7 +33,8 @@ with deploymentPkgs.lib; let
     (i: nameValuePair
       "node-${fixedWidthNumber 2 i}"
       (mkMachine "node" { id = i; })
-    ) 16));
+    )
+    nrNodes));
 
 in
 {

machines/manager/cache.nix

@@ -20,4 +20,8 @@
       };
     };
   };
+
+  hpc.hostFile.aliases = [
+    "cache.${config.networking.domain}"
+  ];
 }

machines/manager/default.nix

@@ -10,6 +10,7 @@ with lib;
     ./network.nix
     ./nfs.nix
     ./ldap.nix
+    ./users.nix
     #./beegfs.nix
     ./ntp.nix
     #./gateway.nix

machines/manager/ldap.nix

@@ -50,4 +50,8 @@ in
   sops.secrets."ldap/root/password" = {
     owner = "openldap";
   };
+
+  hpc.hostFile.aliases = [
+    "ldap.${config.networking.domain}"
+  ];
 }

machines/manager/netinstall.nix

@@ -26,4 +26,8 @@
       };
     };
   };
+
+  hpc.hostFile = [
+    "boot.${config.networking.domain}"
+  ];
 }

machines/manager/network.nix

@@ -10,4 +10,8 @@
     address = "10.32.30.1";
     interface = "enp11s0f0";
   };
+
+  networking.firewall.trustedInterfaces = [
+    "enp11s0f0"
+  ];
 }

machines/manager/nfs.nix

@@ -2,7 +2,7 @@
   services.nfs.server = {
     enable = true;
     exports = ''
-      /home   node*.${config.networking.domain}(rw)
+      /home   node-*.${config.networking.domain}(rw,no_root_squash)
     '';
   };
 }

machines/manager/users.nix

@@ -0,0 +1,27 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+
+{
+  programs.ssh = {
+    package = pkgs.openssh.overrideAttrs (final: prev: {
+      patches = prev.patches ++ [
+        ../../patches/openssh-keysign-check-remove.patch
+      ];
+    });
+
+    extraConfig = ''
+      	    EnableSSHKeysign yes
+
+            Host node-*.${config.networking.domain}
+              HostbasedAuthentication yes
+    '';
+  };
+
+  security.wrappers."ssh-keysign" = {
+    source = "${pkgs.openssh}/libexec/ssh-keysign";
+    setuid = true;
+    owner = "root";
+    group = "root";
+  };
+}

machines/node/default.nix

@@ -8,6 +8,7 @@ with lib;
     ./hardware.nix
     ./disk.nix
     ./network.nix
+    ./users.nix
   ];
 
   deployment = {

machines/node/users.nix

@@ -1,16 +1,11 @@
-{
-  users.ldap = {
-    enable = true;
-    
-    server = "ldap://manager.hpc.informatik.hs-fulda.de/";
-    base = "dc=hpc,dc=informatik,dc=hs-fulda,dc=de";
+{ lib, config, nodes, ... }:
 
-    daemon.enable = true;
-  };
+with lib;
 
-  filesystem."home" = {
+{
+  fileSystems."home" = {
     mountPoint = "/home";
-    device = "manager.hpc.informatik.hs-fulda.de:/home";
+    device = "manager.${config.networking.domain}:/home";
     fsType = "nfs";
     options = [
       "nfsvers=4.2"
@@ -19,4 +14,21 @@
       "x-systemd.idle-timeout=600"
     ];
   };
+
+  services.openssh = {
+    extraConfig = ''
+      IgnoreRhosts no
+
+      Match Group cluster
+        HostbasedAuthentication yes
+        HostbasedAcceptedAlgorithms ssh-ed25519*
+        HostbasedUsesNameFromPacketOnly yes
+    '';
+  };
+
+  environment.etc."ssh/shosts.equiv".text = concatMapStringsSep "\n"
+    (node: node.config.networking.fqdn)
+    (attrValues nodes);
+
+  users.groups."cluster" = { };
 }

modules/default.nix

@@ -1,5 +1,6 @@
 {
   imports = [
+    ./hostFile.nix
     ./beegfs.nix
   ];
 }

modules/hostFile.nix

@@ -0,0 +1,55 @@
+{ pkgs, lib, config, nodes, ... }:
+
+with lib;
+
+{
+  options.hpc.hostFile = {
+    addresses = mkOption {
+      description = ''
+        IP addresses of this host
+      '';
+      type = types.listOf types.str;
+      default =
+        let
+          interface = config.networking.interfaces.${config.networking.defaultGateway.interface};
+        in
+        concatLists [
+          (map (e: e.address) interface.ipv4.addresses)
+          (map (e: e.address) interface.ipv6.addresses)
+        ];
+    };
+
+    canonical = mkOption {
+      description = ''
+        Canonical host name
+      '';
+      type = types.str;
+      default = config.networking.fqdn;
+    };
+
+    aliases = mkOption {
+      description = ''
+        Aliases for this host
+      '';
+      type = types.listOf types.str;
+      default = [ ];
+    };
+
+    entries = mkOption {
+      description = ''
+        Host name entries for this host
+      '';
+      type = types.listOf types.str;
+      readOnly = true;
+      default = (singleton config.hpc.hostFile.canonical) ++ config.hpc.hostFile.aliases;
+    };
+  };
+
+  config = {
+    networking.hosts = listToAttrs (concatMap
+      (node: map
+        (address: nameValuePair address node.config.hpc.hostFile.entries)
+        node.config.hpc.hostFile.addresses)
+      (attrValues nodes));
+  };
+}

patches/openssh-keysign-check-remove.patch

@@ -0,0 +1,14 @@
+diff --git a/sshconnect2.c b/sshconnect2.c
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -2055,10 +2055,6 @@
+ 	*sigp = NULL;
+ 	*lenp = 0;
+ 
+-	if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
+-		error_f("not installed: %s", strerror(errno));
+-		return -1;
+-	}
+ 	if (fflush(stdout) != 0) {
+ 		error_f("fflush: %s", strerror(errno));
+ 		return -1;

shared/default.nix

@@ -1,9 +1,10 @@
-{ pkgs, modulesPath, ... }:
+{ pkgs, config, modulesPath, ... }:
 
 {
   imports = [
     ./network.nix
     ./users.nix
+    ./ssh.nix
 
     "${modulesPath}/profiles/headless.nix"
     "${modulesPath}/profiles/all-hardware.nix"
@@ -16,6 +17,11 @@
     age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
   };
 
+  gather = {
+    target = part: "gathered/${config.networking.hostName}/${part}";
+    root = ../.;
+  };
+
   time.timeZone = "Europe/Berlin";
   console.keyMap = "de";
 
@@ -26,5 +32,7 @@
     tmux
   ];
 
+  services.haveged.enable = true;
+
   system.stateVersion = "22.11";
 }

shared/ssh.nix

@@ -0,0 +1,23 @@
+{ lib, nodes, ... }:
+
+with lib;
+
+{
+  programs.ssh = {
+    # Add know-host entries for all machines in the cluster
+    knownHosts = mapAttrs
+      (name: node: {
+        hostNames = [
+          node.config.networking.hostName
+          node.config.networking.fqdn
+        ];
+        publicKeyFile = node.config.gather.parts."ssh/hostKey".path;
+      })
+      nodes;
+  };
+
+  gather.parts."ssh/hostKey" = {
+    name = "ssh_host_ed25519_key.pub";
+    file = "/etc/ssh/ssh_host_ed25519_key.pub";
+  };
+}

shared/users.nix

@@ -1,3 +1,12 @@
+{ lib, config, ... }:
+
+with lib;
+
+let
+  baseDN = concatMapStringsSep ","
+    (part: "dc=${part}")
+    (splitString "." config.networking.domain);
+in
 {
   users.mutableUsers = false;
 
@@ -8,4 +17,19 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
     ];
   };
+
+  users.ldap = {
+    enable = true;
+
+    server = "ldap://manager.${config.networking.domain}/";
+    base = baseDN;
+
+    daemon.enable = true;
+  };
+
+  users.users."fooker" = {
+    isNormalUser = true;
+    group = "cluster";
+    password = "asdasd123";
+  };
 }