New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Harden ssh config defaults and remove old host key support #31763
Conversation
@@ -363,14 +358,21 @@ in | |||
HostKey ${k.path} | |||
'')} | |||
|
|||
# Allow DSA client keys for now. (These were deprecated | |||
# in OpenSSH 7.0.) | |||
PubkeyAcceptedKeyTypes +ssh-dss |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be mentioned in the release notes. Otherwise people might get locked out.
UPDATE maybe this was already removed in openssh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, this is important to mention in the release notes. I don't think it's been fully removed yet, just deprecated.
OpenSSH 7.0 and greater similarly disable the ssh-dss (DSA) public key algorithm. It too is weak and we recommend against its use. It can be re-enabled using the HostKeyAlgorithms configuration option:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can be found here: nixos/doc/manual/release-notes/rl-1803.xml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
index c1fe692cee..8bc9cd9133 100644
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -72,6 +72,16 @@ following incompatible changes:</para>
<option>services.pgmanage</option>.
</para>
</listitem>
+ <listitem>
+ <para>
+ The OpenSSH service no longer enables support for DSA keys by default,
+ which could cause a system lock out. DSA support was
+ <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>,
+ due to it being too weak. To re-enable support, add
+ <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your
+ <option>services.openssh.extraConfig</option>.
+ </para>
+ </listitem>
</itemizedlist>
</section>
Look reasonable?
@@ -54,8 +54,6 @@ let | |||
)); | |||
in listToAttrs (map mkAuthKeyFile usersWithKeys); | |||
|
|||
supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the release notes, after fixing their host keys, they can safely change their state version from anything prior to 17.03
, to 17.03
, as vetted here: https://search.nix.gsc.io/?q=stateVersion
Since ssh-dss is no longer supported by default, users relying on those keys for their login may be locked out. They should ideally use stronger keys, but adding the support for ssh-dss back in can also be done through extraConfig.
Anything more needed on this? |
Thank you for this, LGTM |
@jeaye thanks. |
@jpierre03 Yes indeed. I'd like very much to see more things like this become (available) defaults in NixOS. |
Motivation for this change
To better harden the SSH service by default. This was originally mentioned by @jpierre03 here: #20161 (comment) -- I'm just looking to get the ball rolling.
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)Things to note
This breaks backward compatibility with anyone using
supportOldHostKeys
. If people want that, I thinkextraConfig
will do the trick.