diff options
author | Emily <vcs@emily.moe> | 2020-03-14 18:29:08 +0000 |
---|---|---|
committer | Emily <vcs@emily.moe> | 2020-03-25 08:26:50 +0000 |
commit | d930466b7728e5515991cb73c060fc3f32bdc001 (patch) | |
tree | fccf4df70689dbf469d9ebae5a88e410d282702a /nixos/doc | |
parent | 01914e619f466d93d91ab6e563b17b9357f4a63a (diff) | |
download | nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.tar nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.tar.gz nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.tar.bz2 nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.tar.lz nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.tar.xz nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.tar.zst nixlib-d930466b7728e5515991cb73c060fc3f32bdc001.zip |
nixos/initrd-ssh: switch from Dropbear to OpenSSH
Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
Diffstat (limited to 'nixos/doc')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index a9a6003d1e8a..85a7f9c9871f 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -108,6 +108,23 @@ <link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>. </para> </listitem> + <listitem> + <para> + The initrd SSH support now uses OpenSSH rather than Dropbear to + allow the use of Ed25519 keys and other OpenSSH-specific + functionality. Host keys must now be in the OpenSSH format, and at + least one pre-generated key must be specified. + </para> + <para> + If you used the <option>boot.initrd.network.ssh.host*Key</option> + options, you'll get an error explaining how to convert your host + keys and migrate to the new + <option>boot.initrd.network.ssh.hostKeys</option> option. + Otherwise, if you don't have any host keys set, you'll need to + generate some; see the <option>hostKeys</option> option + documentation for instructions. + </para> + </listitem> </itemizedlist> </section> |