nixos: add config.services.openssh.moduliFile option so that users can replace the default file from OpenSSH
The man page for ssh-keygen(1) has a section "MODULI GENERATION" that describes how to generate your own moduli file. The following script might also be helpful: | #! /usr/bin/env bash | | moduliFiles=() | | generateModuli() | { | ssh-keygen -G "moduli-$1.candidates" -b "$1" | ssh-keygen -T "moduli-$1" -f "moduli-$1.candidates" | rm "moduli-$1.candidates" | } | | for (( i=0 ; i <= 16 ; ++i )); do | let bitSize="2048 + i * 128" | generateModuli "$bitSize" & | moduliFiles+=( "moduli-$bitSize" ) | done | wait | | echo >moduli "# Time Type Tests Tries Size Generator Modulus" | cat >>moduli "${moduliFiles[@]}" | rm "${moduliFiles[@]}" Note that generating moduli takes a long time, i.e. several hours on a fast machine! This patch resolves https://github.com/NixOS/nixpkgs/pull/5870.
This commit is contained in:
parent
0c35edb25c
commit
86d299bc6e
|
@ -268,6 +268,16 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
moduliFile = mkOption {
|
||||
example = "services.openssh.moduliFile = /etc/my-local-ssh-moduli;";
|
||||
type = types.path;
|
||||
description = ''
|
||||
Path to <literal>moduli</literal> file to install in
|
||||
<literal>/etc/ssh/moduli</literal>. If this option is unset, then
|
||||
the <literal>moduli</literal> file shipped with OpenSSH will be used.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
users.extraUsers = mkOption {
|
||||
|
@ -286,8 +296,10 @@ in
|
|||
description = "SSH privilege separation user";
|
||||
};
|
||||
|
||||
services.openssh.moduliFile = mkDefault "${cfgc.package}/etc/ssh/moduli";
|
||||
|
||||
environment.etc = authKeysFiles ++ [
|
||||
{ source = "${cfgc.package}/etc/ssh/moduli";
|
||||
{ source = cfg.moduliFile;
|
||||
target = "ssh/moduli";
|
||||
}
|
||||
{ text = knownHostsText;
|
||||
|
|
Loading…
Reference in New Issue