Question about the SSH key authorization mechanism #62

New Issue

adam · 2025-12-29T04:21:13+01:00

adam commented

2025-12-29 04:21:13 +01:00

Originally created by @wicsp on GitHub (Oct 28, 2025).

I wonder how can I ssh to a machine with a normal user?

In vars/default.nix, it set the keys from the users in different hosts as mainSshAuthorizedKeys , and set the super key romantic as secondaryAuthorizedKeys as follow:

  mainSshAuthorizedKeys = [
    # The main ssh keys for daily usage
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwoI5MAogEa726jwwHL5EgM1X/i2A5d2pgV7i7t8fzB ryan@shoukei"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc1PNTXzzvd93E+e9LXvnEzqgUI5gMTEF/IitvzgmL+ ryan@frieren"
  ];
  secondaryAuthorizedKeys = [
    # the backup ssh keys for disaster recovery
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzYT0Fpcp681eHY5FJV2G8Mve53iX3hMOLGbVvfL+TF ryan@romantic"
  ];

In modules/base/users.nix, it just allow the mainSshAuthorizedKeys for ssh.

  users.users.${myvars.username} = {
    description = myvars.userfullname;
    # Public Keys that can be used to login to all my PCs, Macbooks, and servers.

    openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys;
  };

But in home/base/tui/ssh.nix, it set /etc/agenix/ssh-key-romantic as the default identityFile for all the hosts in the local network.

      "192.168.*" = {
        # "allow to securely use local SSH agent to authenticate on the remote machine."
        # "It has the same effect as adding cli option `ssh -A user@host`"
        forwardAgent = true;
        # "romantic holds my homelab~"
        identityFile = "/etc/agenix/ssh-key-romantic";
        identitiesOnly = true;
      };

When I try to ssh to a host in local network with a normal user (ryan in this repo), it automatically select the /etc/agenix/ssh-key-romantic, and openssh will refuse to connect because it just accept mainSshAuthorizedKeys.

Did I misunderstand?

Originally created by @wicsp on GitHub (Oct 28, 2025). I wonder how can I ssh to a machine with a normal user? In `vars/default.nix`, it set the keys from the users in different hosts as `mainSshAuthorizedKeys` , and set the super key `romantic` as `secondaryAuthorizedKeys` as follow: ```nix mainSshAuthorizedKeys = [ # The main ssh keys for daily usage "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwoI5MAogEa726jwwHL5EgM1X/i2A5d2pgV7i7t8fzB ryan@shoukei" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDc1PNTXzzvd93E+e9LXvnEzqgUI5gMTEF/IitvzgmL+ ryan@frieren" ]; secondaryAuthorizedKeys = [ # the backup ssh keys for disaster recovery "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzYT0Fpcp681eHY5FJV2G8Mve53iX3hMOLGbVvfL+TF ryan@romantic" ]; ``` In `modules/base/users.nix`, it just allow the `mainSshAuthorizedKeys` for ssh. ```nix users.users.${myvars.username} = { description = myvars.userfullname; # Public Keys that can be used to login to all my PCs, Macbooks, and servers. openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys; }; ``` But in `home/base/tui/ssh.nix`, it set `/etc/agenix/ssh-key-romantic` as the default identityFile for all the hosts in the local network. ```nix "192.168.*" = { # "allow to securely use local SSH agent to authenticate on the remote machine." # "It has the same effect as adding cli option `ssh -A user@host`" forwardAgent = true; # "romantic holds my homelab~" identityFile = "/etc/agenix/ssh-key-romantic"; identitiesOnly = true; }; ``` When I try to ssh to a host in local network with a normal user (`ryan` in this repo), it automatically select the `/etc/agenix/ssh-key-romantic`, and openssh will refuse to connect because it just accept `mainSshAuthorizedKeys`. Did I misunderstand?

adam closed this issue

2025-12-29 04:21:13 +01:00

adam commented

2025-12-29 04:21:14 +01:00

@ryan4yin commented on GitHub (Nov 4, 2025):

The behaviour you see is exactly what the config is designed to do:

Only the keys listed in mainSshAuthorizedKeys are accepted for the normal user (ryan).
The secondaryAuthorizedKeys (a.k.a. the “romantic” key) is not in that list, so the server rightfully rejects it.
The root account, on the other hand, does get both key sets(modules/nixos/base/user-group.nix):
```
users.users.root.openssh.authorizedKeys.keys =
  myvars.mainSshAuthorizedKeys ++ myvars.secondaryAuthorizedKeys;
```
so the romantic key works only when you log in as root.
The host aliases defined in vars/networking.nix don’t specify an identityFile, so the client is free to use any keys in ssh-agent when login via host aliases.

In short: the romantic key is intentionally restricted to root, not for daily use.

@ryan4yin commented on GitHub (Nov 4, 2025): The behaviour you see is exactly what the config is designed to do: 1. Only the keys listed in `mainSshAuthorizedKeys` are accepted for the **normal user** (`ryan`). The `secondaryAuthorizedKeys` (a.k.a. the “romantic” key) is **not** in that list, so the server rightfully rejects it. 2. The `root` account, on the other hand, **does** get both key sets(`modules/nixos/base/user-group.nix`): ```nix users.users.root.openssh.authorizedKeys.keys = myvars.mainSshAuthorizedKeys ++ myvars.secondaryAuthorizedKeys; ``` so the romantic key works **only** when you log in as `root`. 3. The **host aliases** defined in `vars/networking.nix` don’t specify an `identityFile`, so the client is free to use any keys in ssh-agent when login via host aliases. In short: the romantic key is intentionally restricted to `root`, not for daily use.

adam referenced this issue

2025-12-29 04:21:24 +01:00

[PR #62] [MERGED] feat: monitoring + containers #94

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/nix-config-ryan4yin#62