diff options
author | Peter Simons <simons@cryp.to> | 2015-05-22 14:23:21 +0200 |
---|---|---|
committer | Peter Simons <simons@cryp.to> | 2015-05-22 16:28:45 +0200 |
commit | 86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e (patch) | |
tree | ca9a5292dadcd09192f0ad214e8a7ec15cf0fb77 /nixos/modules/services/networking | |
parent | 0c35edb25c80be61be50e2fb8ad1195a573d762e (diff) | |
download | nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.tar nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.tar.gz nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.tar.bz2 nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.tar.lz nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.tar.xz nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.tar.zst nixlib-86d299bc6ec739702c5c8d2aae3e2d6b2bb94b1e.zip |
nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
The man page for ssh-keygen(1) has a section "MODULI GENERATION" that describes how to generate your own moduli file. The following script might also be helpful: | #! /usr/bin/env bash | | moduliFiles=() | | generateModuli() | { | ssh-keygen -G "moduli-$1.candidates" -b "$1" | ssh-keygen -T "moduli-$1" -f "moduli-$1.candidates" | rm "moduli-$1.candidates" | } | | for (( i=0 ; i <= 16 ; ++i )); do | let bitSize="2048 + i * 128" | generateModuli "$bitSize" & | moduliFiles+=( "moduli-$bitSize" ) | done | wait | | echo >moduli "# Time Type Tests Tries Size Generator Modulus" | cat >>moduli "${moduliFiles[@]}" | rm "${moduliFiles[@]}" Note that generating moduli takes a long time, i.e. several hours on a fast machine! This patch resolves https://github.com/NixOS/nixpkgs/pull/5870.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 6cc86b4e4b5a..14d516ddbb66 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -268,6 +268,16 @@ in }; }; + moduliFile = mkOption { + example = "services.openssh.moduliFile = /etc/my-local-ssh-moduli;"; + type = types.path; + description = '' + Path to <literal>moduli</literal> file to install in + <literal>/etc/ssh/moduli</literal>. If this option is unset, then + the <literal>moduli</literal> file shipped with OpenSSH will be used. + ''; + }; + }; users.extraUsers = mkOption { @@ -286,8 +296,10 @@ in description = "SSH privilege separation user"; }; + services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli"; + environment.etc = authKeysFiles ++ [ - { source = "${cfgc.package}/etc/ssh/moduli"; + { source = cfg.moduliFile; target = "ssh/moduli"; } { text = knownHostsText; |