diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-07-27 20:13:08 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2015-07-27 20:30:10 +0200 |
commit | a5b83c357319c4442c94979cb3679d41d9b352bc (patch) | |
tree | 83c13d6c78ab9db066e1d0333dc0e8ff7403ab0c | |
parent | d166c854b6ecfd9ada520439b06f7eb9e3e4be7c (diff) | |
download | nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.tar nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.tar.gz nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.tar.bz2 nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.tar.lz nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.tar.xz nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.tar.zst nixlib-a5b83c357319c4442c94979cb3679d41d9b352bc.zip |
sshd: Use RSA and ED25519 host keys
Closes #7939.
-rw-r--r-- | nixos/doc/manual/release-notes/rl-unstable.xml | 13 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 15 |
2 files changed, 18 insertions, 10 deletions
diff --git a/nixos/doc/manual/release-notes/rl-unstable.xml b/nixos/doc/manual/release-notes/rl-unstable.xml index 6ae8cd83d3f4..abfd417c53a7 100644 --- a/nixos/doc/manual/release-notes/rl-unstable.xml +++ b/nixos/doc/manual/release-notes/rl-unstable.xml @@ -50,6 +50,19 @@ following incompatible changes: <itemizedlist> +<listitem><para><command>sshd</command> no longer supports DSA and ECDSA +host keys by default. If you have existing systems with such host keys +and want to continue to use them, please set + +<programlisting> +system.stateVersion = "14.12"; +</programlisting> + +(The new option <option>system.stateVersion</option> ensures that +certain configuration changes that could break existing systems (such +as the <command>sshd</command> host key setting) will maintain +compatibility with the specified NixOS release.)</para></listitem> + <listitem><para><command>cron</command> is no longer enabled by default, unless you have a non-empty <option>services.cron.systemCronJobs</option>. To force diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 4be2b5fe0c0c..1c428ceddfd2 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -184,16 +184,11 @@ in hostKeys = mkOption { type = types.listOf types.attrs; default = - [ { path = "/etc/ssh/ssh_host_dsa_key"; - type = "dsa"; - } - { path = "/etc/ssh/ssh_host_ecdsa_key"; - type = "ecdsa"; - bits = 521; - } - { path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } + [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07") + [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } + { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } ]; description = '' NixOS can automatically generate SSH host keys. This option |