Browse Source

SSH host based auth

main
Dustin Frisch 1 year ago
parent
commit
c9fd2e55be
No known key found for this signature in database GPG Key ID: B4C3BF012D9B26BE
  1. 2
      flake.nix
  2. 1
      gathered/manager/ssh_host_ed25519_key.pub
  3. 1
      gathered/node-00/ssh_host_ed25519_key.pub
  4. 5
      machines.nix
  5. 4
      machines/manager/cache.nix
  6. 1
      machines/manager/default.nix
  7. 4
      machines/manager/ldap.nix
  8. 4
      machines/manager/netinstall.nix
  9. 4
      machines/manager/network.nix
  10. 2
      machines/manager/nfs.nix
  11. 27
      machines/manager/users.nix
  12. 1
      machines/node/default.nix
  13. 32
      machines/node/users.nix
  14. 1
      modules/default.nix
  15. 55
      modules/hostFile.nix
  16. 14
      patches/openssh-keysign-check-remove.patch
  17. 10
      shared/default.nix
  18. 23
      shared/ssh.nix
  19. 24
      shared/users.nix

2
flake.nix

@ -69,6 +69,8 @@
let
pkgs = nixpkgs.legacyPackages.${system};
colmena = inputs.colmena.defaultPackage.${system};
pre-commit-hooks = inputs.pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {

1
gathered/manager/ssh_host_ed25519_key.pub

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILzkFbPeDhbSD7K+gJZ7peJYe36kyKKHsLnQWGTxJptq root@nixos

1
gathered/node-00/ssh_host_ed25519_key.pub

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcyF+SJiS1f1j2Waa0Af2Mx4zxPHl6J3u9gaDMhE9Yv root@nixos

5
machines.nix

@ -5,6 +5,8 @@ let
localSystem.system = "x86_64-linux";
};
nrNodes = 1;
in
with deploymentPkgs.lib; let
@ -31,7 +33,8 @@ with deploymentPkgs.lib; let
(i: nameValuePair
"node-${fixedWidthNumber 2 i}"
(mkMachine "node" { id = i; })
) 16));
)
nrNodes));
in
{

4
machines/manager/cache.nix

@ -20,4 +20,8 @@
};
};
};
hpc.hostFile.aliases = [
"cache.${config.networking.domain}"
];
}

1
machines/manager/default.nix

@ -10,6 +10,7 @@ with lib;
./network.nix
./nfs.nix
./ldap.nix
./users.nix
#./beegfs.nix
./ntp.nix
#./gateway.nix

4
machines/manager/ldap.nix

@ -50,4 +50,8 @@ in
sops.secrets."ldap/root/password" = {
owner = "openldap";
};
hpc.hostFile.aliases = [
"ldap.${config.networking.domain}"
];
}

4
machines/manager/netinstall.nix

@ -26,4 +26,8 @@
};
};
};
hpc.hostFile = [
"boot.${config.networking.domain}"
];
}

4
machines/manager/network.nix

@ -10,4 +10,8 @@
address = "10.32.30.1";
interface = "enp11s0f0";
};
networking.firewall.trustedInterfaces = [
"enp11s0f0"
];
}

2
machines/manager/nfs.nix

@ -2,7 +2,7 @@
services.nfs.server = {
enable = true;
exports = ''
/home node*.${config.networking.domain}(rw)
/home node-*.${config.networking.domain}(rw,no_root_squash)
'';
};
}

27
machines/manager/users.nix

@ -0,0 +1,27 @@
{ pkgs, lib, config, ... }:
with lib;
{
programs.ssh = {
package = pkgs.openssh.overrideAttrs (final: prev: {
patches = prev.patches ++ [
../../patches/openssh-keysign-check-remove.patch
];
});
extraConfig = ''
EnableSSHKeysign yes
Host node-*.${config.networking.domain}
HostbasedAuthentication yes
'';
};
security.wrappers."ssh-keysign" = {
source = "${pkgs.openssh}/libexec/ssh-keysign";
setuid = true;
owner = "root";
group = "root";
};
}

1
machines/node/default.nix

@ -8,6 +8,7 @@ with lib;
./hardware.nix
./disk.nix
./network.nix
./users.nix
];
deployment = {

32
machines/node/users.nix

@ -1,16 +1,11 @@
{
users.ldap = {
enable = true;
server = "ldap://manager.hpc.informatik.hs-fulda.de/";
base = "dc=hpc,dc=informatik,dc=hs-fulda,dc=de";
{ lib, config, nodes, ... }:
daemon.enable = true;
};
with lib;
filesystem."home" = {
{
fileSystems."home" = {
mountPoint = "/home";
device = "manager.hpc.informatik.hs-fulda.de:/home";
device = "manager.${config.networking.domain}:/home";
fsType = "nfs";
options = [
"nfsvers=4.2"
@ -19,4 +14,21 @@
"x-systemd.idle-timeout=600"
];
};
services.openssh = {
extraConfig = ''
IgnoreRhosts no
Match Group cluster
HostbasedAuthentication yes
HostbasedAcceptedAlgorithms ssh-ed25519*
HostbasedUsesNameFromPacketOnly yes
'';
};
environment.etc."ssh/shosts.equiv".text = concatMapStringsSep "\n"
(node: node.config.networking.fqdn)
(attrValues nodes);
users.groups."cluster" = { };
}

1
modules/default.nix

@ -1,5 +1,6 @@
{
imports = [
./hostFile.nix
./beegfs.nix
];
}

55
modules/hostFile.nix

@ -0,0 +1,55 @@
{ pkgs, lib, config, nodes, ... }:
with lib;
{
options.hpc.hostFile = {
addresses = mkOption {
description = ''
IP addresses of this host
'';
type = types.listOf types.str;
default =
let
interface = config.networking.interfaces.${config.networking.defaultGateway.interface};
in
concatLists [
(map (e: e.address) interface.ipv4.addresses)
(map (e: e.address) interface.ipv6.addresses)
];
};
canonical = mkOption {
description = ''
Canonical host name
'';
type = types.str;
default = config.networking.fqdn;
};
aliases = mkOption {
description = ''
Aliases for this host
'';
type = types.listOf types.str;
default = [ ];
};
entries = mkOption {
description = ''
Host name entries for this host
'';
type = types.listOf types.str;
readOnly = true;
default = (singleton config.hpc.hostFile.canonical) ++ config.hpc.hostFile.aliases;
};
};
config = {
networking.hosts = listToAttrs (concatMap
(node: map
(address: nameValuePair address node.config.hpc.hostFile.entries)
node.config.hpc.hostFile.addresses)
(attrValues nodes));
};
}

14
patches/openssh-keysign-check-remove.patch

@ -0,0 +1,14 @@
diff --git a/sshconnect2.c b/sshconnect2.c
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -2055,10 +2055,6 @@
*sigp = NULL;
*lenp = 0;
- if (stat(_PATH_SSH_KEY_SIGN, &st) == -1) {
- error_f("not installed: %s", strerror(errno));
- return -1;
- }
if (fflush(stdout) != 0) {
error_f("fflush: %s", strerror(errno));
return -1;

10
shared/default.nix

@ -1,9 +1,10 @@
{ pkgs, modulesPath, ... }:
{ pkgs, config, modulesPath, ... }:
{
imports = [
./network.nix
./users.nix
./ssh.nix
"${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/all-hardware.nix"
@ -16,6 +17,11 @@
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
};
gather = {
target = part: "gathered/${config.networking.hostName}/${part}";
root = ../.;
};
time.timeZone = "Europe/Berlin";
console.keyMap = "de";
@ -26,5 +32,7 @@
tmux
];
services.haveged.enable = true;
system.stateVersion = "22.11";
}

23
shared/ssh.nix

@ -0,0 +1,23 @@
{ lib, nodes, ... }:
with lib;
{
programs.ssh = {
# Add know-host entries for all machines in the cluster
knownHosts = mapAttrs
(name: node: {
hostNames = [
node.config.networking.hostName
node.config.networking.fqdn
];
publicKeyFile = node.config.gather.parts."ssh/hostKey".path;
})
nodes;
};
gather.parts."ssh/hostKey" = {
name = "ssh_host_ed25519_key.pub";
file = "/etc/ssh/ssh_host_ed25519_key.pub";
};
}

24
shared/users.nix

@ -1,3 +1,12 @@
{ lib, config, ... }:
with lib;
let
baseDN = concatMapStringsSep ","
(part: "dc=${part}")
(splitString "." config.networking.domain);
in
{
users.mutableUsers = false;
@ -8,4 +17,19 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
];
};
users.ldap = {
enable = true;
server = "ldap://manager.${config.networking.domain}/";
base = baseDN;
daemon.enable = true;
};
users.users."fooker" = {
isNormalUser = true;
group = "cluster";
password = "asdasd123";
};
}
Loading…
Cancel
Save