Harden ssh config defaults and remove old host key support #31763
Conversation
jeaye
changed the title
| @@ -363,14 +358,21 @@ in | |||
| HostKey ${k.path} | |||
| '')} | |||
|
|
|||
| # Allow DSA client keys for now. (These were deprecated | |||
| # in OpenSSH 7.0.) | |||
| PubkeyAcceptedKeyTypes +ssh-dss | |||
There was a problem hiding this comment.
This should be mentioned in the release notes. Otherwise people might get locked out.
UPDATE maybe this was already removed in openssh.
There was a problem hiding this comment.
Yep, this is important to mention in the release notes. I don't think it's been fully removed yet, just deprecated.
OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostKeyAlgorithms configuration option:
There was a problem hiding this comment.
can be found here: nixos/doc/manual/release-notes/rl-1803.xml
There was a problem hiding this comment.
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
index c1fe692cee..8bc9cd9133 100644
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -72,6 +72,16 @@ following incompatible changes:</para>
<option>services.pgmanage</option>.
</para>
</listitem>
+ <listitem>
+ <para>
+ The OpenSSH service no longer enables support for DSA keys by default,
+ which could cause a system lock out. DSA support was
+ <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>,
+ due to it being too weak. To re-enable support, add
+ <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your
+ <option>services.openssh.extraConfig</option>.
+ </para>
+ </listitem>
</itemizedlist>
</section>Look reasonable?
| @@ -54,8 +54,6 @@ let | |||
| )); | |||
| in listToAttrs (map mkAuthKeyFile usersWithKeys); | |||
|
|
|||
| supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; | |||
There was a problem hiding this comment.
In the release notes, after fixing their host keys, they can safely change their state version from anything prior to 17.03, to 17.03, as vetted here: https://search.nix.gsc.io/?q=stateVersion
Since ssh-dss is no longer supported by default, users relying on those keys for their login may be locked out. They should ideally use stronger keys, but adding the support for ssh-dss back in can also be done through extraConfig.
|
Anything more needed on this? |
|
Thank you for this, LGTM |
|
@jeaye thanks. |
|
@jpierre03 Yes indeed. I'd like very much to see more things like this become (available) defaults in NixOS. |
Motivation for this change
To better harden the SSH service by default. This was originally mentioned by @jpierre03 here: #20161 (comment) -- I'm just looking to get the ball rolling.
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)Things to note
This breaks backward compatibility with anyone using
supportOldHostKeys. If people want that, I thinkextraConfigwill do the trick.