diff options
author | Franz Pletz <fpletz@fnordicwalking.de> | 2018-07-14 16:29:46 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-07-14 16:29:46 +0000 |
commit | ea9078b76bb38a1685a22d4f503ba7de5cf48bc8 (patch) | |
tree | 3f468e1128851fefb271b4ca00640f320d8464cd /nixos | |
parent | d4f63206d8a3041356df0f65f49c1ea61be04eba (diff) | |
parent | 1846a85b77c60c2f72c95ee63f7f43a5557f8a48 (diff) | |
download | nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.tar nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.tar.gz nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.tar.bz2 nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.tar.lz nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.tar.xz nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.tar.zst nixlib-ea9078b76bb38a1685a22d4f503ba7de5cf48bc8.zip |
Merge pull request #41745 from rvolosatovs/fix/sshd
nixos: Add more ssh-keygen params
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 8b04fac089ef..7b2d1920f0f1 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -198,6 +198,10 @@ in [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; + example = + [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; rounds = 100; openSSHFormat = true; } + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; rounds = 100; comment = "key comment"; } + ]; description = '' NixOS can automatically generate SSH host keys. This option specifies the path, type and size of each key. See @@ -358,7 +362,14 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' if ! [ -f "${k.path}" ]; then - ssh-keygen -t "${k.type}" ${if k ? bits then "-b ${toString k.bits}" else ""} -f "${k.path}" -N "" + ssh-keygen \ + -t "${k.type}" \ + ${if k ? bits then "-b ${toString k.bits}" else ""} \ + ${if k ? rounds then "-a ${toString k.rounds}" else ""} \ + ${if k ? comment then "-C '${k.comment}'" else ""} \ + ${if k ? openSSHFormat && k.openSSHFormat then "-o" else ""} \ + -f "${k.path}" \ + -N "" fi '')} ''; @@ -404,6 +415,9 @@ in unixAuth = cfg.passwordAuthentication; }; + # These values are merged with the ones defined externally, see: + # https://github.com/NixOS/nixpkgs/pull/10155 + # https://github.com/NixOS/nixpkgs/pull/41745 services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; |