diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-02-01 16:27:46 +0100 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2016-02-01 16:31:43 +0100 |
commit | a7b7ac8bfb948f05c8956f8de23d806fb7686438 (patch) | |
tree | 2d9b2b18a5eec1d41e3a2a5559c3c5c48d64e0cd /nixos/modules | |
parent | a7f09e97734792b7d3d68b13825ced07f737a006 (diff) | |
download | nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.tar nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.tar.gz nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.tar.bz2 nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.tar.lz nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.tar.xz nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.tar.zst nixlib-a7b7ac8bfb948f05c8956f8de23d806fb7686438.zip |
openssh: Enable DSA host/client keys
This applies a patch from Fedora to make HostKeyAlgorithms do the right thing, fixing the issue described in 401782cb678d2e28c0f7f2d40c6421624f410148.
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/programs/ssh.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 13 |
2 files changed, 15 insertions, 1 deletions
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 2da8ff738fbc..169c6a38e75b 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -186,6 +186,9 @@ in ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} + # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) + PubkeyAcceptedKeyTypes +ssh-dss + ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5baea4bc6aea..ba3efc8c0c2a 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -52,6 +52,8 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); + supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; + in { @@ -177,7 +179,7 @@ in default = [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07") + ] ++ optionals supportOldHostKeys [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } ]; @@ -347,6 +349,15 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} + + # Allow DSA client keys for now. (These were deprecated + # in OpenSSH 7.0.) + PubkeyAcceptedKeyTypes +ssh-dss + + # Re-enable DSA host keys for now. + ${optionalString supportOldHostKeys '' + HostKeyAlgorithms +ssh-dss + ''} ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; |