Browse Source

SSH host based auth

main
Dustin Frisch 2 years ago
parent
commit
c9fd2e55be
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 2
      flake.nix
  2. 1
      gathered/manager/ssh_host_ed25519_key.pub
  3. 1
      gathered/node-00/ssh_host_ed25519_key.pub
  4. 5
      machines.nix
  5. 4
      machines/manager/cache.nix
  6. 1
      machines/manager/default.nix
  7. 4
      machines/manager/ldap.nix
  8. 4
      machines/manager/netinstall.nix
  9. 4
      machines/manager/network.nix
  10. 2
      machines/manager/nfs.nix
  11. 27
      machines/manager/users.nix
  12. 1
      machines/node/default.nix
  13. 32
      machines/node/users.nix
  14. 1
      modules/default.nix
  15. 55
      modules/hostFile.nix
  16. 14
      patches/openssh-keysign-check-remove.patch
  17. 10
      shared/default.nix
  18. 23
      shared/ssh.nix
  19. 24
      shared/users.nix

2
flake.nix

@ -69,6 +69,8 @@
let let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
colmena = inputs.colmena.defaultPackage.${system};
pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run { pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.; src = ./.;
hooks = { hooks = {

1
gathered/manager/ssh_host_ed25519_key.pub

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzkFbPeDhbSD7K+gJZ7peJYe36kyKKHsLnQWGTxJptq root@nixos

1
gathered/node-00/ssh_host_ed25519_key.pub

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos

5
machines.nix

@ -5,6 +5,8 @@ let
localSystem.system = "x86_64-linux"; localSystem.system = "x86_64-linux";
}; };
nrNodes = 1;
in in
with deploymentPkgs.lib; let with deploymentPkgs.lib; let
@ -31,7 +33,8 @@ with deploymentPkgs.lib; let
(i: nameValuePair (i: nameValuePair
"node-${fixedWidthNumber 2 i}" "node-${fixedWidthNumber 2 i}"
(mkMachine "node" { id = i; }) (mkMachine "node" { id = i; })
) 16));
)
nrNodes));
in in
{ {

4
machines/manager/cache.nix

@ -20,4 +20,8 @@
}; };
}; };
}; };
hpc.hostFile.aliases = [
"cache.${config.networking.domain}"
];
} }

1
machines/manager/default.nix

@ -10,6 +10,7 @@ with lib;
./network.nix ./network.nix
./nfs.nix ./nfs.nix
./ldap.nix ./ldap.nix
./users.nix
#./beegfs.nix #./beegfs.nix
./ntp.nix ./ntp.nix
#./gateway.nix #./gateway.nix

4
machines/manager/ldap.nix

@ -50,4 +50,8 @@ in
sops.secrets."ldap/root/password" = { sops.secrets."ldap/root/password" = {
owner = "openldap"; owner = "openldap";
}; };
hpc.hostFile.aliases = [
"ldap.${config.networking.domain}"
];
} }

4
machines/manager/netinstall.nix

@ -26,4 +26,8 @@
}; };
}; };
}; };
hpc.hostFile = [
"boot.${config.networking.domain}"
];
} }

4
machines/manager/network.nix

@ -10,4 +10,8 @@
address = "10.32.30.1"; address = "10.32.30.1";
interface = "enp11s0f0"; interface = "enp11s0f0";
}; };
networking.firewall.trustedInterfaces = [
"enp11s0f0"
];
} }

2
machines/manager/nfs.nix

@ -2,7 +2,7 @@
services.nfs.server = { services.nfs.server = {
enable = true; enable = true;
exports = '' exports = ''
/home node*.${config.networking.domain}(rw)
/home node-*.${config.networking.domain}(rw,no_root_squash)
''; '';
}; };
} }

27
machines/manager/users.nix

@ -0,0 +1,27 @@
{ pkgs, lib, config, ... }:
with lib;
{
programs.ssh = {
package = pkgs.openssh.overrideAttrs (final: prev: {
patches = prev.patches ++ [
../../patches/openssh-keysign-check-remove.patch
];
});
extraConfig = ''
EnableSSHKeysign yes
Host node-*.${config.networking.domain}
HostbasedAuthentication yes
'';
};
security.wrappers."ssh-keysign" = {
source = "${pkgs.openssh}/libexec/ssh-keysign";
setuid = true;
owner = "root";
group = "root";
};
}

1
machines/node/default.nix

@ -8,6 +8,7 @@ with lib;
./hardware.nix ./hardware.nix
./disk.nix ./disk.nix
./network.nix ./network.nix
./users.nix
]; ];
deployment = { deployment = {

32
machines/node/users.nix

@ -1,16 +1,11 @@
{
users.ldap = {
enable = true;
server = "ldap://manager.hpc.informatik.hs-fulda.de/";
base = "dc=hpc,dc=informatik,dc=hs-fulda,dc=de";
{ lib, config, nodes, ... }:
daemon.enable = true;
};
with lib;
filesystem."home" = {
{
fileSystems."home" = {
mountPoint = "/home"; mountPoint = "/home";
device = "manager.hpc.informatik.hs-fulda.de:/home";
device = "manager.${config.networking.domain}:/home";
fsType = "nfs"; fsType = "nfs";
options = [ options = [
"nfsvers=4.2" "nfsvers=4.2"
@ -19,4 +14,21 @@
"x-systemd.idle-timeout=600" "x-systemd.idle-timeout=600"
]; ];
}; };
services.openssh = {
extraConfig = ''
IgnoreRhosts no
Match Group cluster
HostbasedAuthentication yes
HostbasedAcceptedAlgorithms ssh-ed25519*
HostbasedUsesNameFromPacketOnly yes
'';
};
environment.etc."ssh/shosts.equiv".text = concatMapStringsSep "\n"
(node: node.config.networking.fqdn)
(attrValues nodes);
users.groups."cluster" = { };
} }

1
modules/default.nix

@ -1,5 +1,6 @@
{ {
imports = [ imports = [
./hostFile.nix
./beegfs.nix ./beegfs.nix
]; ];
} }

55
modules/hostFile.nix

@ -0,0 +1,55 @@
{ pkgs, lib, config, nodes, ... }:
with lib;
{
options.hpc.hostFile = {
addresses = mkOption {
description = ''
IP addresses of this host
'';
type = types.listOf types.str;
default =
let
interface = config.networking.interfaces.${config.networking.defaultGateway.interface};
in
concatLists [
(map (e: e.address) interface.ipv4.addresses)
(map (e: e.address) interface.ipv6.addresses)
];
};
canonical = mkOption {
description = ''
Canonical host name
'';
type = types.str;
default = config.networking.fqdn;
};
aliases = mkOption {
description = ''
Aliases for this host
'';
type = types.listOf types.str;
default = [ ];
};
entries = mkOption {
description = ''
Host name entries for this host
'';
type = types.listOf types.str;
readOnly = true;
default = (singleton config.hpc.hostFile.canonical) ++ config.hpc.hostFile.aliases;
};
};
config = {
networking.hosts = listToAttrs (concatMap
(node: map
(address: nameValuePair address node.config.hpc.hostFile.entries)
node.config.hpc.hostFile.addresses)
(attrValues nodes));
};
}

14
patches/openssh-keysign-check-remove.patch

@ -0,0 +1,14 @@
diff --git a/sshconnect2.c b/sshconnect2.c
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -2055,10 +2055,6 @@
*sigp = NULL;
*lenp = 0;
- if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
- error_f("not installed: %s", strerror(errno));
- return -1;
- }
if (fflush(stdout) != 0) {
error_f("fflush: %s", strerror(errno));
return -1;

10
shared/default.nix

@ -1,9 +1,10 @@
{ pkgs, modulesPath, ... }:
{ pkgs, config, modulesPath, ... }:
{ {
imports = [ imports = [
./network.nix ./network.nix
./users.nix ./users.nix
./ssh.nix
"${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/all-hardware.nix" "${modulesPath}/profiles/all-hardware.nix"
@ -16,6 +17,11 @@
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}; };
gather = {
target = part: "gathered/${config.networking.hostName}/${part}";
root = ../.;
};
time.timeZone = "Europe/Berlin"; time.timeZone = "Europe/Berlin";
console.keyMap = "de"; console.keyMap = "de";
@ -26,5 +32,7 @@
tmux tmux
]; ];
services.haveged.enable = true;
system.stateVersion = "22.11"; system.stateVersion = "22.11";
} }

23
shared/ssh.nix

@ -0,0 +1,23 @@
{ lib, nodes, ... }:
with lib;
{
programs.ssh = {
# Add know-host entries for all machines in the cluster
knownHosts = mapAttrs
(name: node: {
hostNames = [
node.config.networking.hostName
node.config.networking.fqdn
];
publicKeyFile = node.config.gather.parts."ssh/hostKey".path;
})
nodes;
};
gather.parts."ssh/hostKey" = {
name = "ssh_host_ed25519_key.pub";
file = "/etc/ssh/ssh_host_ed25519_key.pub";
};
}

24
shared/users.nix

@ -1,3 +1,12 @@
{ lib, config, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." config.networking.domain);
in
{ {
users.mutableUsers = false; users.mutableUsers = false;
@ -8,4 +17,19 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
]; ];
}; };
users.ldap = {
enable = true;
server = "ldap://manager.${config.networking.domain}/";
base = baseDN;
daemon.enable = true;
};
users.users."fooker" = {
isNormalUser = true;
group = "cluster";
password = "asdasd123";
};
} }
Loading…
Cancel
Save