Tunnel-only user for SSH on NixOS

I really enjoy reading Solène's website and I stumbled upon one of her posts again while reading more about SSH tunneling. In this post, she talks about setting up dedicated user for ssh tunneling only on OpenBSD1. Of course, as a Nix user, I have to show you how easy it is to do the same on NixOS.

Generating ssh keys

Well, this process is the same for NixOS. You use ssh-keygen just as usual, but in this case I will generate a ed25519 key:

$ ssh-keygen -t ed25519

Adding a user

This is the fun part, NixOS provides a set of modules to configure users to configure users in a declarative manner. Let's leverage it to create a user that has no shell access nor a home:

users.groups.tunnel = { };
users.users.tunnel = {
  group = "tunnel";
  isSystemUser = true;
  shell = "${pkgs.shadow}/bin/nologin";
  createHome = false;
  openssh.authorizedKeys.keys = [ "<your-ssh-key>" ];
};

Connect using SSH

Again, this is the same for a NixOS and a Non-NixOS system. The key part here is the required -N flag:

$ ssh -N -L 10000:localhost:993 tunnel@host
  1. I need to try OpenBSD sometime in the future, by the way.