From 78bd54ca804a3494257c57153520d49025804238 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 11 Dec 2012 17:29:34 +0100
Subject: [PATCH] Allow setting additional AuthorizedKeysFiles

Charon needs this to include the dynamically generated
/root/.vbox-charon-client-key.  (We used
users.extraUsers.root.openssh.authorizedKeys.keyFiles for this, but
that no longer works.)
---
 modules/services/networking/ssh/sshd.nix | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index 2bfddb2e986f..14570b76735f 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -186,6 +186,11 @@ in
         '';
       };
 
+      authorizedKeysFiles = mkOption {
+        default = [];
+        description = "Files from with authorized keys are read.";
+      };
+
       extraConfig = mkOption {
         default = "";
         description = "Verbatim contents of <filename>sshd_config</filename>.";
@@ -290,6 +295,9 @@ in
 
     networking.firewall.allowedTCPPorts = cfg.ports;
 
+    services.openssh.authorizedKeysFiles =
+      [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
+
     services.openssh.extraConfig =
       ''
         Protocol 2
@@ -320,7 +328,7 @@ in
         PasswordAuthentication ${if cfg.passwordAuthentication then "yes" else "no"}
         ChallengeResponseAuthentication ${if cfg.challengeResponseAuthentication then "yes" else "no"}
 
-        AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /etc/ssh/authorized_keys.d/%u
+        AuthorizedKeysFile ${toString cfg.authorizedKeysFiles}
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;