Commit `97b5937d23c5`

Vincent Demeester <vincent@sbr.pm>

2026-01-29 21:26:52

fix(sshd): add FIDO2/security key algorithms to PubkeyAcceptedKeyTypes

Add sk-ssh-ed25519@openssh.com and sk-ecdsa-sha2-nistp256@openssh.com to allow Yubikey-based SSH authentication. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

main

1 parent 8df0fab

Changed files (1)

systems

common

services

openssh.nix

@@ -13,8 +13,8 @@ _: {
       extraConfig = ''
         StreamLocalBindUnlink yes
 
-        # Only allow strong key types (Ed25519, ECDSA for Yubikeys, RSA fallback)
-        PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
+        # Only allow strong key types (Ed25519, ECDSA, RSA, plus FIDO2/security key variants)
+        PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
       '';
     };
     sshguard.enable = true;

Commit 97b5937d23c5

Commit `97b5937d23c5`