ssh: custom config key types #40686
ssh: custom config key types #40686
Conversation
nixos/modules/programs/ssh.nix
Outdated
| @@ -190,8 +212,8 @@ in | |||
| ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} | |||
|
|
|||
| # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) | |||
There was a problem hiding this comment.
This comment needs to be moved. But we should think about dropping DSA support by default.
|
That's normal? |
nixos/modules/programs/ssh.nix
Outdated
| @@ -62,13 +62,37 @@ in | |||
| ''; | |||
| }; | |||
|
|
|||
| pubkeyAcceptedKeyTypes = mkOption { | |||
| type = types.str; | |||
| default = "+ssh-dss"; | |||
There was a problem hiding this comment.
I'd put the comment above this line.
nixos/modules/programs/ssh.nix
Outdated
|
|
||
| hostKeyAlgorithms = mkOption { | ||
| type = types.str; | ||
| default = "+ssh-dss"; |
|
What's normal? |
|
Moved comment |
Izorkin
force-pushed
the
ssh
branch
2 times, most recently
from
93117bf
to
22d409c
Compare
|
DSA keys have been deprecated upstream. Why does this commit defaults to re-supporting them? edit: missed context. They should be disabled, though. |
|
cc @aneeshusa |
Izorkin
force-pushed
the
ssh
branch
2 times, most recently
from
39a71a7
to
be7b414
Compare
|
Updated commit. |
Izorkin
force-pushed
the
ssh
branch
2 times, most recently
from
f56d2ec
to
9a26de8
Compare
Izorkin
changed the title
nixos/modules/programs/ssh.nix
Outdated
| pubkeyAcceptedKeyTypes = mkOption { | ||
| type = types.listOf types.str; | ||
| # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) | ||
| default = [ |
There was a problem hiding this comment.
I think it may be better to not list all the types, but stay with the +ssh-dss instead. This way we get the default recommended options from the ssh package and don't have to remember to update this list when the recommendations change. Does that seem sensible?
There was a problem hiding this comment.
To me it does. I don't see any advantage in having to list the default types if you just want to add some.
There was a problem hiding this comment.
I also strongly prefer the OpenSSL defaults. I doubt we will keep track of this tightly.
I would also not want to introduce something that upstream has been deprecated as that could mean we can not take it out again. See the issue about deprecating the dsa support.
There was a problem hiding this comment.
I would argue for removing some of the doubtful nistp algorithms but we probably can not be sure nobody relies on them.. That is a very sad story.
There was a problem hiding this comment.
Changed to next variant
Izorkin
force-pushed
the
ssh
branch
2 times, most recently
from
57401ef
to
a34407d
Compare
Izorkin
changed the title
nixos/modules/programs/ssh.nix
Outdated
| # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) | ||
| PubkeyAcceptedKeyTypes +ssh-dss | ||
| HostKeyAlgorithms +ssh-dss | ||
| ${optionalString (cfg.pubkeyAcceptedKeyTypes != null) ''PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}''} |
nixos/modules/programs/ssh.nix
Outdated
| }; | ||
|
|
||
| hostKeyAlgorithms = mkOption { | ||
| type = types.nullOr (types.listOf types.str); |
There was a problem hiding this comment.
The type of those can be just types.listOf types.str, then an empty list replaces the null case.
Motivation for this change
A possibility is necessary to configure active key types
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)