From f87da5107b0687e99e88e650be84cbf7bf42abcf Mon Sep 17 00:00:00 2001
From: arcnmx <git@git.arcn.mx>
Date: Sat, 10 Feb 2024 15:51:43 -0800
Subject: [PATCH] chore(hakurei): disable ssh password auth

---
 systems/hakurei/reisen-ssh.nix | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/systems/hakurei/reisen-ssh.nix b/systems/hakurei/reisen-ssh.nix
index 4366d304..73fbb0e2 100644
--- a/systems/hakurei/reisen-ssh.nix
+++ b/systems/hakurei/reisen-ssh.nix
@@ -4,7 +4,7 @@
   lib,
   ...
 }: let
-  inherit (lib.modules) mkAfter;
+  inherit (lib.modules) mkAfter mkForce;
   sshPort = 41022;
   username = "tf-proxmox";
   sshJump = pkgs.writeShellScript "ssh-jump-${username}" ''
@@ -28,15 +28,14 @@ in {
 
   services.openssh = {
     ports = mkAfter [ sshPort ];
-    settings = {
-      KbdInteractiveAuthentication = true;
-      PasswordAuthentication = true;
-    };
     extraConfig = mkAfter ''
       Match User ${username}
+        KbdInteractiveAuthentication yes
         ForceCommand ${sshJump}
     '';
   };
+  # required for kbd or password authentication
+  security.pam.services.sshd.unixAuth = mkForce true;
 
   networking.firewall.allowedTCPPorts = [ sshPort ];