pyrox.dev / nixpkgs
lol
fork atom

sshd: Use RSA and ED25519 host keys

Closes #7939.

Eelco Dolstra a5b83c35 d166c854

options
unified split
Changed files
+18 -10
nixos
doc
manual
release-notes
rl-unstable.xml
modules
services
networking
ssh
sshd.nix
+13
nixos/doc/manual/release-notes/rl-unstable.xml 
···

       
50

       
50

       
 

       



     

       
51

       
51

       
 

       
<itemizedlist>


     

       
52

       
52

       
 

       



     

       

       
53

       
+

       
<listitem><para><command>sshd</command> no longer supports DSA and ECDSA


     

       

       
54

       
+

       
host keys by default. If you have existing systems with such host keys


     

       

       
55

       
+

       
and want to continue to use them, please set


     

       

       
56

       
+

       



     

       

       
57

       
+

       
<programlisting>


     

       

       
58

       
+

       
system.stateVersion = "14.12";


     

       

       
59

       
+

       
</programlisting>


     

       

       
60

       
+

       



     

       

       
61

       
+

       
(The new option <option>system.stateVersion</option> ensures that


     

       

       
62

       
+

       
certain configuration changes that could break existing systems (such


     

       

       
63

       
+

       
as the <command>sshd</command> host key setting) will maintain


     

       

       
64

       
+

       
compatibility with the specified NixOS release.)</para></listitem>


     

       

       
65

       
+

       



     

       
53

       
66

       
 

       
<listitem><para><command>cron</command> is no longer enabled by


     

       
54

       
67

       
 

       
default, unless you have a non-empty


     

       
55

       
68

       
 

       
<option>services.cron.systemCronJobs</option>. To force
+5 -10
nixos/modules/services/networking/ssh/sshd.nix 
···

       
184

       
184

       
 

       
      hostKeys = mkOption {


     

       
185

       
185

       
 

       
        type = types.listOf types.attrs;


     

       
186

       
186

       
 

       
        default =


     

       
187

       

       
-

       
          [ { path = "/etc/ssh/ssh_host_dsa_key";


     

       
188

       

       
-

       
              type = "dsa";


     

       
189

       

       
-

       
            }


     

       
190

       

       
-

       
            { path = "/etc/ssh/ssh_host_ecdsa_key";


     

       
191

       

       
-

       
              type = "ecdsa";


     

       
192

       

       
-

       
              bits = 521;


     

       
193

       

       
-

       
            }


     

       
194

       

       
-

       
            { path = "/etc/ssh/ssh_host_ed25519_key";


     

       
195

       

       
-

       
              type = "ed25519";


     

       
196

       

       
-

       
            }


     

       

       
187

       
+

       
          [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }


     

       

       
188

       
+

       
            { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }


     

       

       
189

       
+

       
          ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07")


     

       

       
190

       
+

       
          [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }


     

       

       
191

       
+

       
            { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }


     

       
197

       
192

       
 

       
          ];


     

       
198

       
193

       
 

       
        description = ''


     

       
199

       
194

       
 

       
          NixOS can automatically generate SSH host keys.  This option