diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml
index a9a6003d1e8..85a7f9c9871 100644
--- a/nixos/doc/manual/release-notes/rl-2009.xml
+++ b/nixos/doc/manual/release-notes/rl-2009.xml
@@ -108,6 +108,23 @@
security.duosec.integrationKey.
+
+
+ The initrd SSH support now uses OpenSSH rather than Dropbear to
+ allow the use of Ed25519 keys and other OpenSSH-specific
+ functionality. Host keys must now be in the OpenSSH format, and at
+ least one pre-generated key must be specified.
+
+
+ If you used the
+ options, you'll get an error explaining how to convert your host
+ keys and migrate to the new
+ option.
+ Otherwise, if you don't have any host keys set, you'll need to
+ generate some; see the option
+ documentation for instructions.
+
+
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix
index 2d3e3b05c98..d40c1010e73 100644
--- a/nixos/modules/system/boot/initrd-ssh.nix
+++ b/nixos/modules/system/boot/initrd-ssh.nix
@@ -10,19 +10,21 @@ in
{
- options = {
-
- boot.initrd.network.ssh.enable = mkOption {
+ options.boot.initrd.network.ssh = {
+ enable = mkOption {
type = types.bool;
default = false;
description = ''
Start SSH service during initrd boot. It can be used to debug failing
boot on a remote server, enter pasphrase for an encrypted partition etc.
Service is killed when stage-1 boot is finished.
+
+ The sshd configuration is largely inherited from
+ .
'';
};
- boot.initrd.network.ssh.port = mkOption {
+ port = mkOption {
type = types.int;
default = 22;
description = ''
@@ -30,7 +32,7 @@ in
'';
};
- boot.initrd.network.ssh.shell = mkOption {
+ shell = mkOption {
type = types.str;
default = "/bin/ash";
description = ''
@@ -38,95 +40,163 @@ in
'';
};
- boot.initrd.network.ssh.hostRSAKey = mkOption {
- type = types.nullOr types.path;
- default = null;
+ hostKeys = mkOption {
+ type = types.listOf (types.either types.str types.path);
+ default = [];
+ example = [
+ "/etc/secrets/initrd/ssh_host_rsa_key"
+ "/etc/secrets/initrd/ssh_host_ed25519_key"
+ ];
description = ''
- RSA SSH private key file in the Dropbear format.
+ Specify SSH host keys to import into the initrd.
- WARNING: Unless your bootloader supports initrd secrets, this key is
- contained insecurely in the global Nix store. Do NOT use your regular
- SSH host private keys for this purpose or you'll expose them to
- regular users!
+ To generate keys, use
+ ssh-keygen1:
+
+
+ # ssh-keygen -t rsa -N "" -f /etc/secrets/initrd/ssh_host_rsa_key
+ # ssh-keygen -t ed25519 -N "" -f /etc/secrets/initrd/ssh_host_ed_25519_key
+
+
+
+
+ Unless your bootloader supports initrd secrets, these keys
+ are stored insecurely in the global Nix store. Do NOT use
+ your regular SSH host private keys for this purpose or
+ you'll expose them to regular users!
+
+
+ Additionally, even if your initrd supports secrets, if
+ you're using initrd SSH to unlock an encrypted disk then
+ using your regular host keys exposes the private keys on
+ your unencrypted boot partition.
+
+
'';
};
- boot.initrd.network.ssh.hostDSSKey = mkOption {
- type = types.nullOr types.path;
- default = null;
- description = ''
- DSS SSH private key file in the Dropbear format.
-
- WARNING: Unless your bootloader supports initrd secrets, this key is
- contained insecurely in the global Nix store. Do NOT use your regular
- SSH host private keys for this purpose or you'll expose them to
- regular users!
- '';
- };
-
- boot.initrd.network.ssh.hostECDSAKey = mkOption {
- type = types.nullOr types.path;
- default = null;
- description = ''
- ECDSA SSH private key file in the Dropbear format.
-
- WARNING: Unless your bootloader supports initrd secrets, this key is
- contained insecurely in the global Nix store. Do NOT use your regular
- SSH host private keys for this purpose or you'll expose them to
- regular users!
- '';
- };
-
- boot.initrd.network.ssh.authorizedKeys = mkOption {
+ authorizedKeys = mkOption {
type = types.listOf types.str;
default = config.users.users.root.openssh.authorizedKeys.keys;
+ defaultText = "config.users.users.root.openssh.authorizedKeys.keys";
description = ''
Authorized keys for the root user on initrd.
- Note that Dropbear doesn't support OpenSSH's Ed25519 key type.
'';
};
-
};
- config = mkIf (config.boot.initrd.network.enable && cfg.enable) {
+ imports =
+ map (opt: mkRemovedOptionModule ([ "boot" "initrd" "network" "ssh" ] ++ [ opt ]) ''
+ The initrd SSH functionality now uses OpenSSH rather than Dropbear.
+
+ If you want to keep your existing initrd SSH host keys, convert them with
+ $ dropbearconvert dropbear openssh dropbear_host_$type_key ssh_host_$type_key
+ and then set options.boot.initrd.network.ssh.hostKeys.
+ '') [ "hostRSAKey" "hostDSSKey" "hostECDSAKey" ];
+
+ config = let
+ # Nix complains if you include a store hash in initrd path names, so
+ # as an awful hack we drop the first character of the hash.
+ initrdKeyPath = path: if isString path
+ then path
+ else let name = builtins.baseNameOf path; in
+ builtins.unsafeDiscardStringContext ("/etc/ssh/" +
+ substring 1 (stringLength name) name);
+
+ sshdCfg = config.services.openssh;
+
+ sshdConfig = ''
+ Port ${toString cfg.port}
+
+ PasswordAuthentication no
+ ChallengeResponseAuthentication no
+
+ ${flip concatMapStrings cfg.hostKeys (path: ''
+ HostKey ${initrdKeyPath path}
+ '')}
+
+ KexAlgorithms ${concatStringsSep "," sshdCfg.kexAlgorithms}
+ Ciphers ${concatStringsSep "," sshdCfg.ciphers}
+ MACs ${concatStringsSep "," sshdCfg.macs}
+
+ LogLevel ${sshdCfg.logLevel}
+
+ ${if sshdCfg.useDns then ''
+ UseDNS yes
+ '' else ''
+ UseDNS no
+ ''}
+ '';
+ in mkIf (config.boot.initrd.network.enable && cfg.enable) {
assertions = [
- { assertion = cfg.authorizedKeys != [];
+ {
+ assertion = cfg.authorizedKeys != [];
message = "You should specify at least one authorized key for initrd SSH";
}
+
+ {
+ assertion = cfg.hostKeys != [];
+ message = ''
+ You must now pre-generate the host keys for initrd SSH.
+ See the boot.inird.network.ssh.hostKeys documentation
+ for instructions.
+ '';
+ }
];
boot.initrd.extraUtilsCommands = ''
- copy_bin_and_libs ${pkgs.dropbear}/bin/dropbear
+ copy_bin_and_libs ${pkgs.openssh}/bin/sshd
cp -pv ${pkgs.glibc.out}/lib/libnss_files.so.* $out/lib
'';
boot.initrd.extraUtilsCommandsTest = ''
- $out/bin/dropbear -V
+ # sshd requires a host key to check config, so we pass in the test's
+ echo -n ${escapeShellArg sshdConfig} |
+ $out/bin/sshd -t -f /dev/stdin \
+ -h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}
'';
boot.initrd.network.postCommands = ''
echo '${cfg.shell}' > /etc/shells
echo 'root:x:0:0:root:/root:${cfg.shell}' > /etc/passwd
+ echo 'sshd:x:1:1:sshd:/var/empty:/bin/nologin' >> /etc/passwd
echo 'passwd: files' > /etc/nsswitch.conf
- mkdir -p /var/log
+ mkdir -p /var/log /var/empty
touch /var/log/lastlog
- mkdir -p /etc/dropbear
+ mkdir -p /etc/ssh
+ echo -n ${escapeShellArg sshdConfig} > /etc/ssh/sshd_config
+
+ echo "export PATH=$PATH" >> /etc/profile
+ echo "export LD_LIBRARY_PATH=$LD_LIBRARY_PATH" >> /etc/profile
mkdir -p /root/.ssh
${concatStrings (map (key: ''
echo ${escapeShellArg key} >> /root/.ssh/authorized_keys
'') cfg.authorizedKeys)}
- dropbear -s -j -k -E -p ${toString cfg.port} ${optionalString (cfg.hostRSAKey == null && cfg.hostDSSKey == null && cfg.hostECDSAKey == null) "-R"}
+ ${flip concatMapStrings cfg.hostKeys (path: ''
+ # keys from Nix store are world-readable, which sshd doesn't like
+ chmod 0600 "${initrdKeyPath path}"
+ '')}
+
+ /bin/sshd -e
'';
- boot.initrd.secrets =
- (optionalAttrs (cfg.hostRSAKey != null) { "/etc/dropbear/dropbear_rsa_host_key" = cfg.hostRSAKey; }) //
- (optionalAttrs (cfg.hostDSSKey != null) { "/etc/dropbear/dropbear_dss_host_key" = cfg.hostDSSKey; }) //
- (optionalAttrs (cfg.hostECDSAKey != null) { "/etc/dropbear/dropbear_ecdsa_host_key" = cfg.hostECDSAKey; });
+ boot.initrd.postMountCommands = ''
+ # Stop sshd cleanly before stage 2.
+ #
+ # If you want to keep it around to debug post-mount SSH issues,
+ # run `touch /.keep_sshd` (either from an SSH session or in
+ # another initrd hook like preDeviceCommands).
+ if ! [ -e /.keep_sshd ]; then
+ pkill -x sshd
+ fi
+ '';
+ boot.initrd.secrets = listToAttrs
+ (map (path: nameValuePair (initrdKeyPath path) path) cfg.hostKeys);
};
}
diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
index 93cd801ef80..9e3ee5cf0a3 100644
--- a/nixos/modules/system/boot/stage-1.nix
+++ b/nixos/modules/system/boot/stage-1.nix
@@ -142,7 +142,10 @@ let
let source' = if source == null then dest else source; in
''
mkdir -p $(dirname "$out/secrets/${dest}")
- cp -a ${source'} "$out/secrets/${dest}"
+ # Some programs (e.g. ssh) doesn't like secrets to be
+ # symlinks, so we use `cp -L` here to match the
+ # behaviour when secrets are natively supported.
+ cp -Lr ${source'} "$out/secrets/${dest}"
''
) config.boot.initrd.secrets))
}
diff --git a/nixos/tests/initrd-network-ssh/default.nix b/nixos/tests/initrd-network-ssh/default.nix
index 73d9f938e22..017de688208 100644
--- a/nixos/tests/initrd-network-ssh/default.nix
+++ b/nixos/tests/initrd-network-ssh/default.nix
@@ -3,7 +3,7 @@ import ../make-test-python.nix ({ lib, ... }:
{
name = "initrd-network-ssh";
meta = with lib.maintainers; {
- maintainers = [ willibutz ];
+ maintainers = [ willibutz emily ];
};
nodes = with lib; {
@@ -17,9 +17,9 @@ import ../make-test-python.nix ({ lib, ... }:
enable = true;
ssh = {
enable = true;
- authorizedKeys = [ "${readFile ./openssh.pub}" ];
+ authorizedKeys = [ (readFile ./id_ed25519.pub) ];
port = 22;
- hostRSAKey = ./dropbear.priv;
+ hostKeys = [ ./ssh_host_ed25519_key ];
};
};
boot.initrd.preLVMCommands = ''
@@ -42,11 +42,11 @@ import ../make-test-python.nix ({ lib, ... }:
"${toString (head (splitString " " (
toString (elemAt (splitString "\n" config.networking.extraHosts) 2)
)))} "
- "${readFile ./dropbear.pub}"
+ "${readFile ./ssh_host_ed25519_key.pub}"
];
};
sshKey = {
- source = ./openssh.priv; # dont use this anywhere else
+ source = ./id_ed25519;
mode = "0600";
};
};
@@ -56,7 +56,17 @@ import ../make-test-python.nix ({ lib, ... }:
testScript = ''
start_all()
client.wait_for_unit("network.target")
- client.wait_until_succeeds("ping -c 1 server")
+
+
+ def ssh_is_up(_) -> bool:
+ status, _ = client.execute("nc -z server 22")
+ return status == 0
+
+
+ with client.nested("waiting for SSH server to come up"):
+ retry(ssh_is_up)
+
+
client.succeed(
"ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"
)
diff --git a/nixos/tests/initrd-network-ssh/dropbear.priv b/nixos/tests/initrd-network-ssh/dropbear.priv
deleted file mode 100644
index af340535f0a..00000000000
Binary files a/nixos/tests/initrd-network-ssh/dropbear.priv and /dev/null differ
diff --git a/nixos/tests/initrd-network-ssh/dropbear.pub b/nixos/tests/initrd-network-ssh/dropbear.pub
deleted file mode 100644
index 385c625522a..00000000000
--- a/nixos/tests/initrd-network-ssh/dropbear.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzJ0OniLB91MpPC86I1m3wwJeAc+Gme7bAuaLIU/cSfPwxT5NO7MfCp0Pu94gYDKtDXMs/wXg0bTAVDeAFFkdIj6kBBumEmQLCTL48q2UxDIXVLT/E/AAgj6q7WwgCg7fwm4Vjn4z7aUyBx8EfRy+5/SQyeYla3D/lFYgMi5x4D6J+yeR+JPAptDE/IR5IizNV7mY0ZcoXYyHrrehI1tTYEEqjX13ZqS4OCBFWwHe1QHhRNM+jHhcATbgikjAj8FyFPtLvc+dSVtkuhQktQl36Bi8zMUQcV6+mM7Ln6DBcDlM9urHKLYPTWmUAyhxM955iglOn5z0RaAIcyNMT6hz0rHaNf0BIlmbXoTC0XGjHh/OnoOEC/zg0JqgQTnPiU45K4TnRSSXp2GfiDfiQAK0+HaXACkjuFR68u7WCZpB1Bse1OgKNClFqtRhIr5DilUb2/e5DCCmFkddMUcjmYqzZdbXNt7fo8CFULe+mbiCp8+tMg4aRTaDZ/Hk93nCvGE5TP2ypEMbfL6nRVKvXOjhdvSQQgKwx+O003FDEHCSG0Bpageh7yVpna+SPrbGklce7MjTpbx3iIwmvKpQ6asnK1L3KkahpY1S3NhQ+/S3Gs8KWQ5LAU+d3xiPX3jfIVHsCIIyxHDbwcJvxM4MFBFQpqRMD6E+LoM9RHjl4C9k2iQ== tmtynkky@duuni
diff --git a/nixos/tests/initrd-network-ssh/generate-keys.nix b/nixos/tests/initrd-network-ssh/generate-keys.nix
index 0183e12d7a8..3d7978890ab 100644
--- a/nixos/tests/initrd-network-ssh/generate-keys.nix
+++ b/nixos/tests/initrd-network-ssh/generate-keys.nix
@@ -1,12 +1,10 @@
with import ../../.. {};
runCommand "gen-keys" {
- buildInputs = [ dropbear openssh ];
+ buildInputs = [ openssh ];
}
''
mkdir $out
- dropbearkey -t rsa -f $out/dropbear.priv -s 4096 | sed -n 2p > $out/dropbear.pub
- ssh-keygen -q -t rsa -b 4096 -N "" -f client
- mv client $out/openssh.priv
- mv client.pub $out/openssh.pub
+ ssh-keygen -q -t ed25519 -N "" -f $out/ssh_host_ed25519_key
+ ssh-keygen -q -t ed25519 -N "" -f $out/id_ed25519
''
diff --git a/nixos/tests/initrd-network-ssh/id_ed25519 b/nixos/tests/initrd-network-ssh/id_ed25519
new file mode 100644
index 00000000000..f914b3f712f
--- /dev/null
+++ b/nixos/tests/initrd-network-ssh/id_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACAVcX+32Yqig25RxRA8bel/f604wV0p/63um+Oku/3vfwAAAJi/AJZMvwCW
+TAAAAAtzc2gtZWQyNTUxOQAAACAVcX+32Yqig25RxRA8bel/f604wV0p/63um+Oku/3vfw
+AAAEAPLjQusjrB90Lk3996G3AbtTeK+XweNgxaegYnml/A/RVxf7fZiqKDblHFEDxt6X9/
+rTjBXSn/re6b46S7/e9/AAAAEG5peGJsZEBsb2NhbGhvc3QBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/nixos/tests/initrd-network-ssh/id_ed25519.pub b/nixos/tests/initrd-network-ssh/id_ed25519.pub
new file mode 100644
index 00000000000..40de4a8ac60
--- /dev/null
+++ b/nixos/tests/initrd-network-ssh/id_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBVxf7fZiqKDblHFEDxt6X9/rTjBXSn/re6b46S7/e9/ nixbld@localhost
diff --git a/nixos/tests/initrd-network-ssh/openssh.priv b/nixos/tests/initrd-network-ssh/openssh.priv
deleted file mode 100644
index 816d65435fd..00000000000
--- a/nixos/tests/initrd-network-ssh/openssh.priv
+++ /dev/null
@@ -1,51 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKAIBAAKCAgEA7+9A2PCPOTAlFmrablrUWA+VZdAuLfM6JXeHsOF7ZbC2F6lv
-WmvDM925DQqhiAjcgWnt5WHWS5Y+b7lGnuzT7fyKegXd80nCRmqlpSG3srX0/lxR
-aQAJLzfoDjcsF+ceswQo6GSsYnCHVxMNs007gbbVY3f7o+sWZtLdxJPD2iHvl5Zr
-LK0d1RLMmU6cfIhIABlL0S8EWiv29RROepsCQnS0dnK2b+von1SCYoggvAMe2ToA
-IAJ8+uqaYfGAyn9q8fjZiRHxLmKDq90tKoCUL5r/2dmEIE+t8T/3PfHoq1QzZts9
-W9idhBdT21dEXBtGyoMtckp5njk5m82LQDYiOXkuSoIUhSOteh5g7fBv1BtVSERx
-Jg3UeJjPeGKFwdnzapmAKC2w/6V8xcIINNA+fhZA7B9fD1RAi2TECZ+gyMYDc4T+
-USlMSm9cfvSOrf2+5ngtFb84nHjqvClxCMLu+bCWK8HamqUzhE/a5LbR+48E7PyG
-s3KV+sWFN9KOnakTjj/6iQhXZRhgeAK39F2XTk5Ms5Y+BRSStnMoMZA2grIV+jHi
-1zbWokVqXPI5YRo5isR/PgtKAV6FfNWumcYoFJ9F40pMHQ6hJVEmtrCBx7EApSl3
-mSGbQJUmilLC51qNhwQRbD//ZtpIrN82HTMKzZ6kj7kDCdsff+wsnkIXmmMCAwEA
-AQKCAgA4tMINw6UF7hQF3VEsnbjr6xrzCiWv5HlMm5htPI1OdlpC81+G7ksfOfrf
-UzDkFrwOtftsqBfem268Nvyy2OQprfMIbdSMCFWrEM9/XJ2u1gRGDYmMGF8TUtI8
-cduw9oWx53zHl+uKBHBoKu+k/c7flFeQf63wisIroRCawhWau0SF/h3sXCndzuie
-Hw8q+4aQx2m80bDkotlmCNuXbIU3MZ/pEql9gDLlXTLHmMaryM0EqAmZhx0ErGe6
-WDqJIV4kPB0loSDwRoY6GzbugZ8ENUzcruTkQhCpIOYNNNw5idfwKkaxK1vm+SBv
-iYt1fVjYyfH2vhVKSNoNsaGEloa1u4Dymt/FpFztEpRzHXcw93N8BdLxJ4OUhzm2
-iAbpiyjniTIeAVVi7BUwLXh5WAx8nT0eeb1zKoZg1p1ciK5cYl1Uel7j8xRycsSW
-3YgmtuPqY4Agbc9v3eXbQZNDk48JFMEqpIxk97FAkRYpzfxg5Qq14WJCp60CkdRt
-T60hXy8lT/BcI8OWLfGJuBbsVLNRiC7PpwqRKQAinXSv134FpP7jrhpkMybs2oIS
-5obRG7J5OfOTp925erG5mrpwqa3BPkgqx347Wj9z8quOZyuhi+XaPvqmPtvs5JOl
-4RCqjt6RQlHm7xos9ZZGI4jDAIFaFWgyVZrYplOgwxWma4DTgQKCAQEA9+tizQRU
-lF0lxNcEPvsFnYJo80Y+MQK9VdtlhR19YuSfwP1NCaMG1MhQ+PVBVmepOwJMRJR7
-9PLfOouNMfixKBGP12dtStMuh7jowq/BxhRI6JWp3RhTZ1yJ9ouzHze7IDrEBa6w
-p0hUu9H0Sbt51LXbC3JmTyhbdhfry559DfyGW1Ma/bv/pihL9B5Y7sNf1thNp1gi
-GbQ9B+o2Yyw8ZD8zY+sl+aYDSWyCtcBV/KXEF74Bkfs/a5ExJ00X0jYj/TAp2ray
-T4PY0FR8wN/O10bFLP9j+Xa/ywbcPhoj8nvVRIg9VfWT/QaEd+KR0EZVxdjCCqne
-enbSQksTpAZNwQKCAQEA98E+BMmS+yHUVUhNZABtQ5avwuV4+DoSN8KTp3xwQ0CH
-m9fWxSDs12FdyMhDxrJPeywvHtZ18/7cl3dr8wnFVE0s4ongnRDXsNk5xN6J3AaO
-KqW4HF9cbwZqzLILy8TrO+EK/EQV9FypbrxqvxAlP1kezIA2CJNzVRAgimSuV/H7
-05HTnp5W06fjtEf8U1CUrdNetoSROUo1j/IMGPYGlsBFYAGrj5y/BlKd+3T3kjRp
-Xje7HpiykjrZHn0WDp04Ln+u9nveEewXmHKch313emt7HpW0xspp8JM8OZtEKozk
-D5PfYdBfMJJOUlqovCCzTTJ6kNOahknKXFeO/qs5IwKCAQEAjF0/zhWikXF/fcfD
-Bql2z2vTYdEmSvdjHSYff1Nn90K71DdVk5wytOxJM/sfp/z+yoMNjVKIL/IGQw5Z
-va4xFx+CUhGjxlZ0pLEjT37U9gHsGYsK5jvslLvG/MixfH5AOwoqi5ERQVTpbIF9
-jvVPEAh6YSu/ExglWGJIxTsRUIblxvTxdjEnl/p+rlM0RNJnA6vpo1J51BXA7CdF
-7bZQ5u0Feo/bK1I70ClYg/DGfkmYEV0pZG5cxNkqfDbgwsqWa7YGLGd94xkh+ymq
-jETqxeWyozxhbQ83nYpfzeVc7t//qlJ8b5uf0wUKoRmtNr9rtp13lzP/21REzPXW
-w+oxwQKCAQAoAf2Y2lAw25KlPuq4ZlU+n9u8FkBFnWMJvBMJ7c9XHNmJMf6NkLaO
-RTvWy3geYvbwxf7J9QnRH+vRTciR05cY+Olxn6A03N5nwXxRrToH3MsiWeZ0NnX/
-u8KNUYcUHbV60ulqOThuYHQ/3I9EUUAijaqqjV2sXts19ke68W0x6HKpBJhuudT9
-ktPzbdhyP8Xyl/pocNnerXwexZBsi3Ye6+eIDFz+8OnsBHVcgNPluS72tvsxgqj7
-ciNTiBGCxKKo55eCWBhRPpXE2WUrf/hGPYsBMl2h6FfZMH1+M/N7B4tgdJmS+woU
-Ftws8lTjJEiwA6HFN1ZxrwLNjJobx9yPAoIBAE0igsBuWWn6rXeOPylYg4264XOq
-8gb94pte2n9amDgCzyCn8m6AL3snLC/AoCD19DK+gyK0ukoesXPa3iX6w2xv69ZC
-urDx36Jhd4zrJb4QsFPoeKfDP+UvNVZaS41vipRRzY/y11em15prUZ4U8FA/UT1Y
-FzkBo9r6iUZRnyBLppMuEfWASDtuRNmeIHynoT1AcQOH3l9vR210iEpmAuJr0CYA
-bvTuz3UzzGGEAuIUvuaiRtkfKY52jBmiEr7SSPCr1HvLj3Ccz8bgjgR2kiXmcU50
-1zLnaPAD44LZ/0Fjqj+PimQGT6K7CNXPllmYh7MvoU52g3SVPf6rHlIR0Nc=
------END RSA PRIVATE KEY-----
diff --git a/nixos/tests/initrd-network-ssh/openssh.pub b/nixos/tests/initrd-network-ssh/openssh.pub
deleted file mode 100644
index 5b72b8085f2..00000000000
--- a/nixos/tests/initrd-network-ssh/openssh.pub
+++ /dev/null
@@ -1 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDv70DY8I85MCUWatpuWtRYD5Vl0C4t8zold4ew4XtlsLYXqW9aa8Mz3bkNCqGICNyBae3lYdZLlj5vuUae7NPt/Ip6Bd3zScJGaqWlIbeytfT+XFFpAAkvN+gONywX5x6zBCjoZKxicIdXEw2zTTuBttVjd/uj6xZm0t3Ek8PaIe+XlmssrR3VEsyZTpx8iEgAGUvRLwRaK/b1FE56mwJCdLR2crZv6+ifVIJiiCC8Ax7ZOgAgAnz66pph8YDKf2rx+NmJEfEuYoOr3S0qgJQvmv/Z2YQgT63xP/c98eirVDNm2z1b2J2EF1PbV0RcG0bKgy1ySnmeOTmbzYtANiI5eS5KghSFI616HmDt8G/UG1VIRHEmDdR4mM94YoXB2fNqmYAoLbD/pXzFwgg00D5+FkDsH18PVECLZMQJn6DIxgNzhP5RKUxKb1x+9I6t/b7meC0VvziceOq8KXEIwu75sJYrwdqapTOET9rkttH7jwTs/IazcpX6xYU30o6dqROOP/qJCFdlGGB4Arf0XZdOTkyzlj4FFJK2cygxkDaCshX6MeLXNtaiRWpc8jlhGjmKxH8+C0oBXoV81a6ZxigUn0XjSkwdDqElUSa2sIHHsQClKXeZIZtAlSaKUsLnWo2HBBFsP/9m2kis3zYdMwrNnqSPuQMJ2x9/7CyeQheaYw== tmtynkky@duuni
diff --git a/nixos/tests/initrd-network-ssh/ssh_host_ed25519_key b/nixos/tests/initrd-network-ssh/ssh_host_ed25519_key
new file mode 100644
index 00000000000..f1e29459b7a
--- /dev/null
+++ b/nixos/tests/initrd-network-ssh/ssh_host_ed25519_key
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACDP9Mz6qlxdQqA4omrgbOlVsxSGONCJstjW9zqquajlIAAAAJg0WGFGNFhh
+RgAAAAtzc2gtZWQyNTUxOQAAACDP9Mz6qlxdQqA4omrgbOlVsxSGONCJstjW9zqquajlIA
+AAAEA0Hjs7LfFPdTf3ThGx6GNKvX0ItgzgXs91Z3oGIaF6S8/0zPqqXF1CoDiiauBs6VWz
+FIY40Imy2Nb3Oqq5qOUgAAAAEG5peGJsZEBsb2NhbGhvc3QBAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/nixos/tests/initrd-network-ssh/ssh_host_ed25519_key.pub b/nixos/tests/initrd-network-ssh/ssh_host_ed25519_key.pub
new file mode 100644
index 00000000000..3aa1587e1dc
--- /dev/null
+++ b/nixos/tests/initrd-network-ssh/ssh_host_ed25519_key.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/0zPqqXF1CoDiiauBs6VWzFIY40Imy2Nb3Oqq5qOUg nixbld@localhost