New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh: custom config key types #40686
ssh: custom config key types #40686
Conversation
nixos/modules/programs/ssh.nix
Outdated
@@ -190,8 +212,8 @@ in | |||
ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} | |||
|
|||
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment needs to be moved. But we should think about dropping DSA support by default.
That's normal? |
nixos/modules/programs/ssh.nix
Outdated
@@ -62,13 +62,37 @@ in | |||
''; | |||
}; | |||
|
|||
pubkeyAcceptedKeyTypes = mkOption { | |||
type = types.str; | |||
default = "+ssh-dss"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd put the comment above this line.
nixos/modules/programs/ssh.nix
Outdated
|
||
hostKeyAlgorithms = mkOption { | ||
type = types.str; | ||
default = "+ssh-dss"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and above this one
What's normal? |
Moved comment |
93117bf
to
22d409c
Compare
DSA keys have been deprecated upstream. Why does this commit defaults to re-supporting them? edit: missed context. They should be disabled, though. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @aneeshusa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of taking a raw string, let's take a list of key types, and have the module take care of concatenting them with commas. I also think it would be nice to have a separate option to handle the potenial +/-
potential prefixes.
39a71a7
to
be7b414
Compare
Updated commit. |
f56d2ec
to
9a26de8
Compare
nixos/modules/programs/ssh.nix
Outdated
pubkeyAcceptedKeyTypes = mkOption { | ||
type = types.listOf types.str; | ||
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) | ||
default = [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it may be better to not list all the types, but stay with the +ssh-dss
instead. This way we get the default recommended options from the ssh package and don't have to remember to update this list when the recommendations change. Does that seem sensible?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To me it does. I don't see any advantage in having to list the default types if you just want to add some.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also strongly prefer the OpenSSL defaults. I doubt we will keep track of this tightly.
I would also not want to introduce something that upstream has been deprecated as that could mean we can not take it out again. See the issue about deprecating the dsa support.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would argue for removing some of the doubtful nistp
algorithms but we probably can not be sure nobody relies on them.. That is a very sad story.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to next variant
57401ef
to
a34407d
Compare
nixos/modules/programs/ssh.nix
Outdated
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) | ||
PubkeyAcceptedKeyTypes +ssh-dss | ||
HostKeyAlgorithms +ssh-dss | ||
${optionalString (cfg.pubkeyAcceptedKeyTypes != null) ''PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}''} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These options can't be null.
nixos/modules/programs/ssh.nix
Outdated
}; | ||
|
||
hostKeyAlgorithms = mkOption { | ||
type = types.nullOr (types.listOf types.str); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The type of those can be just types.listOf types.str
, then an empty list replaces the null case.
Motivation for this change
A possibility is necessary to configure active key types
Things done
build-use-sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)