diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-04-07 13:52:27 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-04-07 13:52:27 +0000 |
commit | 78aafc194077668599dc70fc1aadbbde7364c140 (patch) | |
tree | 85bb6bb08a406d215cac10d05d623a27170cc153 /modules/ssh/default.nix | |
parent | 003454219cb9cb8fd456358d6ffcf5a361c91089 (diff) | |
download | nixlib-78aafc194077668599dc70fc1aadbbde7364c140.tar nixlib-78aafc194077668599dc70fc1aadbbde7364c140.tar.gz nixlib-78aafc194077668599dc70fc1aadbbde7364c140.tar.bz2 nixlib-78aafc194077668599dc70fc1aadbbde7364c140.tar.lz nixlib-78aafc194077668599dc70fc1aadbbde7364c140.tar.xz nixlib-78aafc194077668599dc70fc1aadbbde7364c140.tar.zst nixlib-78aafc194077668599dc70fc1aadbbde7364c140.zip |
modules/ssh: globally ban NIST curves
Diffstat (limited to 'modules/ssh/default.nix')
-rw-r--r-- | modules/ssh/default.nix | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/modules/ssh/default.nix b/modules/ssh/default.nix index 713810da7346..b3c29dd3666c 100644 --- a/modules/ssh/default.nix +++ b/modules/ssh/default.nix @@ -1,13 +1,28 @@ { config, pkgs, lib, ... }: let + inherit (lib) concatStringsSep; + mkDefault = lib.mkOverride ((lib.mkDefault null).priority - 1); + + # SSL added and removed here ;-) + bannedAlgorithms = [ + "ecdsa-sha2-nistp256-cert-v01@openssh.com" + "ecdsa-sha2-nistp384-cert-v01@openssh.com" + "ecdsa-sha2-nistp521-cert-v01@openssh.com" + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp521" + ]; in { programs.mosh.enable = mkDefault config.services.openssh.enable; programs.ssh.extraConfig = '' + CASignatureAlgorithms -${concatStringsSep "," bannedAlgorithms} + HostKeyAlgorithms -${concatStringsSep "," bannedAlgorithms} + Host uhura spock HostName %h.edef.eu |