diff --git a/morph/grid/local/public-keys/users.nix.example b/morph/grid/local/public-keys/users.nix.example
index 10a60be1f7b8760e81f7fdb6ecd1d177913e05af..4e4794de770437fb14e666d7b538a3d481c38eb7 100644
--- a/morph/grid/local/public-keys/users.nix.example
+++ b/morph/grid/local/public-keys/users.nix.example
@@ -1,6 +1,11 @@
+let
# Add your public key. Example:
-# let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+# key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
# You can use the following to get key from the local machine.
-# let key = builtins.readFile ~/.ssh/id_ed25519.pub;
-let key = undefined;
-in { "root" = key; "vagrant" = key; }
+# key = builtins.readFile ~/.ssh/id_ed25519.pub;
+ key = undefined;
+ keys = [key]
+in {
+ "root" = keys;
+ "vagrant" = keys;
+}
diff --git a/morph/grid/production/public-keys/users.nix b/morph/grid/production/public-keys/users.nix
index 8b586703740765b7a3d462e74ca3ef3cced68da7..9dcc90ea0efb3c927915d441e77c9af2459303e4 100644
--- a/morph/grid/production/public-keys/users.nix
+++ b/morph/grid/production/public-keys/users.nix
@@ -1,2 +1,6 @@
-let key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom";
-in { "root" = key; "jcalderone" = key; }
+let
+ jcalderone = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGN4VQm3BIQKEFTw6aPrEwNuShf640N+Py2LOKznFCRT exarkun@bottom"];
+in {
+ "root" = jcalderone;
+ "jcalderone" = jcalderone;
+}
diff --git a/morph/grid/testing/public-keys/users.nix b/morph/grid/testing/public-keys/users.nix
index d6a965011065cfe39713adfb797c190eb8dd1ecd..14647efb7d04d39f8201c03b542191f7e86f35c2 100644
--- a/morph/grid/testing/public-keys/users.nix
+++ b/morph/grid/testing/public-keys/users.nix
@@ -1,6 +1,6 @@
let
- jcalderone = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon";
- flo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la";
+ jcalderone = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4GenAY/YLGuf1WoMXyyVa3S9i4JLQ0AG+pt7nvcLlQ exarkun@baryon"];
+ flo = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHx7wJQNqKn8jOC4AxySRL2UxidNp7uIK9ad3pMb1ifF flo@fs-la"];
in
{
"root" = jcalderone;
diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index eb55fbf2ee4d3e6c04dd08039a8a9f9012f069b8..8d5d5766ae3b30c4801b6ce200fa58c1460f6ca7 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -6,7 +6,7 @@
}: {
options = {
services.private-storage.sshUsers = lib.mkOption {
- type = lib.types.attrsOf lib.types.str;
+ type = lib.types.attrsOf (lib.types.listOf lib.types.str);
example = { root = "ssh-ed25519 AAA..."; };
description = ''
Users to configure on the issuer server and the storage servers and
@@ -44,9 +44,9 @@
};
users.users =
- let makeUserConfig = username: sshPublicKey: {
+ let makeUserConfig = username: sshPublicKeys: {
isNormalUser = username != "root";
- openssh.authorizedKeys.keys = [ sshPublicKey ];
+ openssh.authorizedKeys.keys = sshPublicKeys;
};
in builtins.mapAttrs makeUserConfig cfg.sshUsers;
};
diff --git a/nixos/tests/private-storage.nix b/nixos/tests/private-storage.nix
index eaff1ed5320607e6aabc94226804aea4b7186b0a..b17b8f32ed494c0823f349166f9a28f1e3dcb876 100644
--- a/nixos/tests/private-storage.nix
+++ b/nixos/tests/private-storage.nix
@@ -2,12 +2,12 @@
let
ourpkgs = pkgs.callPackage ../pkgs { };
- sshPrivateKey = ./probeuser_ed25519;
- sshPublicKey = ./probeuser_ed25519.pub;
+ sshPrivateKeyFile = ./probeuser_ed25519;
+ sshPublicKeyFile = ./probeuser_ed25519.pub;
sshUsers = {
- root = (builtins.readFile sshPublicKey);
- probeuser = (builtins.readFile sshPublicKey);
+ root = [(builtins.readFile sshPublicKeyFile)];
+ probeuser = [(builtins.readFile sshPublicKeyFile)];
};
# This is a test double of the Stripe API server. It is extremely simple.
@@ -157,7 +157,7 @@ in {
testScript = ourpkgs.lib.testing.makeTestScript {
testpath = ./test_privatestorage.py;
kwargs = {
- inherit sshPrivateKey pemFile introducerPort introducerFURL issuerURL ristrettoPublicKey voucher;
+ inherit sshPrivateKeyFile pemFile introducerPort introducerFURL issuerURL ristrettoPublicKey voucher;
# Supply some helper programs to help the tests stay a bit higher level.
run_introducer = ./run-introducer.py;
diff --git a/nixos/tests/test_privatestorage.py b/nixos/tests/test_privatestorage.py
index dc060d51f1815f549485d3415b3b3af97d5c79af..e1f34fa4f1b0f603168fe825871d8cb81f52d8ce 100644
--- a/nixos/tests/test_privatestorage.py
+++ b/nixos/tests/test_privatestorage.py
@@ -13,20 +13,20 @@ def runOnNode(node, argv):
introducer.log(output)
raise
-def ssh(username, sshPrivateKey, hostname):
+def ssh(username, sshPrivateKeyFile, hostname):
"""
Generate a command which can be used with runOnNode to ssh to the given
host.
"""
return [
- "cp", sshPrivateKey, "/tmp/ssh_key", ";",
+ "cp", sshPrivateKeyFile, "/tmp/ssh_key", ";",
"chmod", "0400", "/tmp/ssh_key", ";",
"ssh", "-oStrictHostKeyChecking=no", "-i", "/tmp/ssh_key",
"{username}@{hostname}".format(username=username, hostname=hostname), ":",
]
def test(
- sshPrivateKey,
+ sshPrivateKeyFile,
pemFile,
run_introducer,
run_client,
@@ -60,11 +60,11 @@ def test(
# doesn't prove it is so but if it fails it's a pretty good indication
# it isn't so.
storage.wait_for_open_port(22)
- runOnNode(issuer, ssh("probeuser", sshPrivateKey, "storage"))
- runOnNode(issuer, ssh("root", sshPrivateKey, "storage"))
+ runOnNode(issuer, ssh("probeuser", sshPrivateKeyFile, "storage"))
+ runOnNode(issuer, ssh("root", sshPrivateKeyFile, "storage"))
issuer.wait_for_open_port(22)
- runOnNode(storage, ssh("probeuser", sshPrivateKey, "issuer"))
- runOnNode(storage, ssh("root", sshPrivateKey, "issuer"))
+ runOnNode(storage, ssh("probeuser", sshPrivateKeyFile, "issuer"))
+ runOnNode(storage, ssh("root", sshPrivateKeyFile, "issuer"))
# Set up a Tahoe-LAFS introducer.
introducer.copy_from_host(pemFile, '/tmp/node.pem')