public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssh: Enable DSA host/client keys

Browse Source 
This applies a patch from Fedora to make HostKeyAlgorithms do the
right thing, fixing the issue described in
401782cb678d2e28c0f7f2d40c6421624f410148.
This commit is contained in:
Eelco Dolstra 2016-02-01 16:27:46 +01:00
parent a7f09e9773
commit a7b7ac8bfb
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/programs/ssh.nix
View File

@ -186,6 +186,9 @@ in
ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}
# Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
PubkeyAcceptedKeyTypes +ssh-dss
${cfg.extraConfig} ${cfg.extraConfig}
''; '';

13
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -52,6 +52,8 @@ let
)); ));
in listToAttrs (map mkAuthKeyFile usersWithKeys); in listToAttrs (map mkAuthKeyFile usersWithKeys);
supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
in in
{ {
@ -177,7 +179,7 @@ in
default = default =
[ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
] ++ optionals (!versionAtLeast config.system.stateVersion "15.07") ] ++ optionals supportOldHostKeys
[ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
{ type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
]; ];
@ -347,6 +349,15 @@ in
${flip concatMapStrings cfg.hostKeys (k: '' ${flip concatMapStrings cfg.hostKeys (k: ''
HostKey ${k.path} HostKey ${k.path}
'')} '')}
# Allow DSA client keys for now. (These were deprecated
# in OpenSSH 7.0.)
PubkeyAcceptedKeyTypes +ssh-dss
# Re-enable DSA host keys for now.
${optionalString supportOldHostKeys ''
HostKeyAlgorithms +ssh-dss
''}
''; '';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

11
pkgs/tools/networking/openssh/default.nix
View File

@ -36,7 +36,16 @@ stdenv.mkDerivation rec {
export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s" export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
''; '';
patches = [ ./locale_archive.patch ] patches =
[ ./locale_archive.patch
# Fix "HostKeyAlgoritms +...", which we need to enable DSA
# host key support.
(fetchurl {
url = "https://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.1p1-hostkeyalgorithms.patch?id=c98f5597250d6f9a8e8d96960beb6306d150ef0f";
sha256 = "029lzp9qv1af8wdm0wwj7qwjj1nimgsjj214jqm3amwz0857qgvp";
})
]
++ optional withGssapiPatches gssapiSrc; ++ optional withGssapiPatches gssapiSrc;
buildInputs = [ zlib openssl libedit pkgconfig pam ] buildInputs = [ zlib openssl libedit pkgconfig pam ]