From d1b79da77cc0c1979755dde9cc5a48b5ca00ba75 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Thu, 25 May 2023 16:53:59 +0100
Subject: [PATCH] ldap: only allow ssh key login on linux servers

---
 applications/ldap_client.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/applications/ldap_client.nix b/applications/ldap_client.nix
index b753a93..1bf92f2 100644
--- a/applications/ldap_client.nix
+++ b/applications/ldap_client.nix
@@ -54,6 +54,16 @@
     # give users a home dir
     security.pam.services.sshd.makeHomeDir = true;
 
+    services.openssh = {
+      # only allow ssh keys
+      passwordAuthentication = false;
+
+      # tell users where tehy cna setup their ssh key
+      banner = ''
+        If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
+        '';
+    };
+
     services.sssd = {
       enable = true;