public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/ssh: Remove support for old host keys

Browse Source
This commit is contained in:
jeaye 2017-11-16 20:16:06 -08:00
parent 61090c8c66
commit ec80c92825
No known key found for this signature in database
GPG Key ID: A77FFC856C61E510
1 changed files with 0 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -54,8 +54,6 @@ let
)); ));
in listToAttrs (map mkAuthKeyFile usersWithKeys); in listToAttrs (map mkAuthKeyFile usersWithKeys);
supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
in in
{ {
@ -191,9 +189,6 @@ in
default = default =
[ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
] ++ optionals supportOldHostKeys
[ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
{ type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
]; ];
description = '' description = ''
NixOS can automatically generate SSH host keys. This option NixOS can automatically generate SSH host keys. This option
@ -363,14 +358,6 @@ in
HostKey ${k.path} HostKey ${k.path}
'')} '')}
# Allow DSA client keys for now. (These were deprecated
# in OpenSSH 7.0.)
PubkeyAcceptedKeyTypes +ssh-dss
# Re-enable DSA host keys for now.
${optionalString supportOldHostKeys ''
HostKeyAlgorithms +ssh-dss
''}
''; '';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;