New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos: Add more ssh-keygen params #41745
Conversation
[ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } | ||
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } | ||
[ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; openSSHFormat = true; } | ||
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; comment = "key comment"; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need these default values or should they go to examples?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Indeed, these should have been examples, however rounds
would be a nice one to specify by defaults, as it improves security.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are the parameter chosen by sshd unreasonable low?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure about that part, but the parameters are taken from this article(see Client Authentication part), which is referenced in the file numerous times already.
@@ -209,7 +213,7 @@ in | |||
|
|||
authorizedKeysFiles = mkOption { | |||
type = types.listOf types.str; | |||
default = []; | |||
default = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See #10155 for how this works; any values set in authorizedKeysFiles
are merged into the default, and I don't think we are likely to change this behavior soon due to backwards compatability, so please undo this change. However, since this makes at least 2 people confused by this, I think a documentation update would be great!
@@ -356,7 +360,14 @@ in | |||
|
|||
${flip concatMapStrings cfg.hostKeys (k: '' | |||
if ! [ -f "${k.path}" ]; then | |||
ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N "" | |||
ssh-keygen\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
style nit: have a space between the \
continuation at the end of each line
@Mic92 @aneeshusa any news about this? |
Motivation for this change
Some options, that user may want to be able to specify can now be specified for the key generation procedure.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)