Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh: custom config key types #40686

Merged
merged 1 commit into from Jul 21, 2018
Merged

ssh: custom config key types #40686

merged 1 commit into from Jul 21, 2018

Conversation

Izorkin
Copy link
Contributor

@Izorkin Izorkin commented May 17, 2018

Motivation for this change

A possibility is necessary to configure active key types

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@@ -190,8 +212,8 @@ in
ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}

# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment needs to be moved. But we should think about dropping DSA support by default.

@Izorkin
Copy link
Contributor Author

Izorkin commented May 18, 2018

That's normal?

@@ -62,13 +62,37 @@ in
'';
};

pubkeyAcceptedKeyTypes = mkOption {
type = types.str;
default = "+ssh-dss";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd put the comment above this line.


hostKeyAlgorithms = mkOption {
type = types.str;
default = "+ssh-dss";
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and above this one

@dotlambda
Copy link
Member

What's normal?

@Izorkin
Copy link
Contributor Author

Izorkin commented May 18, 2018

Moved comment

@Izorkin Izorkin force-pushed the ssh branch 2 times, most recently from 93117bf to 22d409c Compare May 18, 2018 17:06
@antifob
Copy link
Contributor

antifob commented May 24, 2018

DSA keys have been deprecated upstream. Why does this commit defaults to re-supporting them?

edit: missed context. They should be disabled, though.

@dotlambda
Copy link
Member

dotlambda commented May 24, 2018

I'm also in favor of removing support for DSA keys by default. We can use the examples to show how to re-add support.
cc @edolstra who re-added support in a7b7ac8 and 3fb1708.

See also 401782c.

Copy link
Member

@dotlambda dotlambda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's continue the discussion in the appropriate issue/PR: #33381, #36937

This PR doesn't change anything if the new options are not used, so it should be ready to merge.

@dotlambda
Copy link
Member

cc @aneeshusa

Copy link
Contributor

@aneeshusa aneeshusa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of taking a raw string, let's take a list of key types, and have the module take care of concatenting them with commas. I also think it would be nice to have a separate option to handle the potenial +/- potential prefixes.

@Izorkin Izorkin force-pushed the ssh branch 2 times, most recently from 39a71a7 to be7b414 Compare May 25, 2018 08:53
@Izorkin
Copy link
Contributor Author

Izorkin commented May 25, 2018

Updated commit.

@Izorkin Izorkin force-pushed the ssh branch 2 times, most recently from f56d2ec to 9a26de8 Compare May 25, 2018 09:24
@Izorkin Izorkin changed the title ssh: custom config key types ssh: custom config key types and authentications method May 25, 2018
pubkeyAcceptedKeyTypes = mkOption {
type = types.listOf types.str;
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
default = [
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it may be better to not list all the types, but stay with the +ssh-dss instead. This way we get the default recommended options from the ssh package and don't have to remember to update this list when the recommendations change. Does that seem sensible?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me it does. I don't see any advantage in having to list the default types if you just want to add some.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also strongly prefer the OpenSSL defaults. I doubt we will keep track of this tightly.

I would also not want to introduce something that upstream has been deprecated as that could mean we can not take it out again. See the issue about deprecating the dsa support.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would argue for removing some of the doubtful nistp algorithms but we probably can not be sure nobody relies on them.. That is a very sad story.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed to next variant

@Izorkin Izorkin force-pushed the ssh branch 2 times, most recently from 57401ef to a34407d Compare June 9, 2018 07:45
@Izorkin
Copy link
Contributor Author

Izorkin commented Jun 9, 2018

сс @dotlambda @grahamc

@Izorkin Izorkin changed the title ssh: custom config key types and authentications method ssh: custom config key types Jun 10, 2018
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
PubkeyAcceptedKeyTypes +ssh-dss
HostKeyAlgorithms +ssh-dss
${optionalString (cfg.pubkeyAcceptedKeyTypes != null) ''PubkeyAcceptedKeyTypes ${concatStringsSep "," cfg.pubkeyAcceptedKeyTypes}''}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These options can't be null.

};

hostKeyAlgorithms = mkOption {
type = types.nullOr (types.listOf types.str);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The type of those can be just types.listOf types.str, then an empty list replaces the null case.

@LnL7 LnL7 merged commit e2444a4 into NixOS:master Jul 21, 2018
@Izorkin Izorkin deleted the ssh branch July 21, 2018 10:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

9 participants