nixos: Add more ssh-keygen params #41745
Conversation
| [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } | ||
| { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } | ||
| [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; openSSHFormat = true; } | ||
| { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; comment = "key comment"; } |
There was a problem hiding this comment.
Do we need these default values or should they go to examples?
There was a problem hiding this comment.
Indeed, these should have been examples, however rounds would be a nice one to specify by defaults, as it improves security.
There was a problem hiding this comment.
Are the parameter chosen by sshd unreasonable low?
There was a problem hiding this comment.
Not sure about that part, but the parameters are taken from this article(see Client Authentication part), which is referenced in the file numerous times already.
| @@ -209,7 +213,7 @@ in | |||
|
|
|||
| authorizedKeysFiles = mkOption { | |||
| type = types.listOf types.str; | |||
| default = []; | |||
| default = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; | |||
There was a problem hiding this comment.
See #10155 for how this works; any values set in authorizedKeysFiles are merged into the default, and I don't think we are likely to change this behavior soon due to backwards compatability, so please undo this change. However, since this makes at least 2 people confused by this, I think a documentation update would be great!
| @@ -356,7 +360,14 @@ in | |||
|
|
|||
| ${flip concatMapStrings cfg.hostKeys (k: '' | |||
| if ! [ -f "${k.path}" ]; then | |||
| ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N "" | |||
| ssh-keygen\ | |||
There was a problem hiding this comment.
style nit: have a space between the \ continuation at the end of each line
|
@Mic92 @aneeshusa any news about this? |
rvolosatovs
changed the title
Motivation for this change
Some options, that user may want to be able to specify can now be specified for the key generation procedure.
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)