summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2023-03-20 12:05:40 +0100
committerGregor Kleen <gkleen@yggdrasil.li>2023-03-20 12:05:40 +0100
commit247ed8fb020b0fc8680d7b811a26a690d5bf8e43 (patch)
tree87fdabf53b40809b71ebbce4a8e75a7488aec28c
parent9e0f84316df0504d73320495c51fe3bd7f968e7d (diff)
downloadnixos-247ed8fb020b0fc8680d7b811a26a690d5bf8e43.tar
nixos-247ed8fb020b0fc8680d7b811a26a690d5bf8e43.tar.gz
nixos-247ed8fb020b0fc8680d7b811a26a690d5bf8e43.tar.bz2
nixos-247ed8fb020b0fc8680d7b811a26a690d5bf8e43.tar.xz
nixos-247ed8fb020b0fc8680d7b811a26a690d5bf8e43.zip
...
-rw-r--r--system-profiles/openssh/default.nix156
1 files changed, 79 insertions, 77 deletions
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 8960fbb0..a989733f 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -4,6 +4,52 @@ with lib;
4 4
5let 5let
6 cfg = config.services.openssh; 6 cfg = config.services.openssh;
7
8 Ciphers = [
9 "chacha20-poly1305@openssh.com"
10 "aes256-gcm@openssh.com"
11 "aes256-ctr"
12 ];
13 Macs = [
14 "umac-128-etm@openssh.com"
15 "hmac-sha2-256-etm@openssh.com"
16 "hmac-sha2-512-etm@openssh.com"
17 "umac-128@openssh.com"
18 "hmac-sha2-256"
19 "hmac-sha2-512"
20 "umac-64-etm@openssh.com"
21 "umac-64@openssh.com"
22 ];
23 KexAlgorithms = [
24 "sntrup761x25519-sha512@openssh.com"
25 "curve25519-sha256"
26 "curve25519-sha256@libssh.org"
27 "diffie-hellman-group-exchange-sha256"
28 ];
29 HostKeyAlgorithms = [
30 "sk-ssh-ed25519-cert-v01@openssh.com"
31 "ssh-ed25519-cert-v01@openssh.com"
32 "rsa-sha2-256-cert-v01@openssh.com"
33 "rsa-sha2-512-cert-v01@openssh.com"
34 "sk-ssh-ed25519@openssh.com"
35 "ssh-ed25519"
36 "rsa-sha2-256"
37 "rsa-sha2-512"
38 ];
39 CASignatureAlgorithms = [
40 "sk-ssh-ed25519@openssh.com"
41 "ssh-ed25519"
42 "rsa-sha2-256"
43 "rsa-sha2-512"
44 ];
45 PubkeyAcceptedAlgorithms = [
46 "ssh-ed25519-cert-v01@openssh.com"
47 "sk-ssh-ed25519-cert-v01@openssh.com"
48 "rsa-sha2-512-cert-v01@openssh.com"
49 "rsa-sha2-256-cert-v01@openssh.com"
50 "ssh-ed25519"
51 "ssh-rsa"
52 ];
7in { 53in {
8 options = { 54 options = {
9 services.openssh = { 55 services.openssh = {
@@ -50,6 +96,32 @@ in {
50 "rsa-sha2-256" 96 "rsa-sha2-256"
51 ]; 97 ];
52 }; 98 };
99 settings.PubkeyAcceptedAlgorithms = mkOption {
100 type = types.listOf types.str;
101 default = [
102 "ssh-ed25519"
103 "ssh-ed25519-cert-v01@openssh.com"
104 "sk-ssh-ed25519@openssh.com"
105 "sk-ssh-ed25519-cert-v01@openssh.com"
106 "ecdsa-sha2-nistp256"
107 "ecdsa-sha2-nistp256-cert-v01@openssh.com"
108 "ecdsa-sha2-nistp384"
109 "ecdsa-sha2-nistp384-cert-v01@openssh.com"
110 "ecdsa-sha2-nistp521"
111 "ecdsa-sha2-nistp521-cert-v01@openssh.com"
112 "sk-ecdsa-sha2-nistp256@openssh.com"
113 "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
114 "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
115 "ssh-dss"
116 "ssh-dss-cert-v01@openssh.com"
117 "ssh-rsa"
118 "ssh-rsa-cert-v01@openssh.com"
119 "rsa-sha2-256"
120 "rsa-sha2-256-cert-v01@openssh.com"
121 "rsa-sha2-512"
122 "rsa-sha2-512-cert-v01@openssh.com"
123 ];
124 };
53 }; 125 };
54 }; 126 };
55 127
@@ -59,43 +131,7 @@ in {
59 services.openssh = mkIf cfg.enable { 131 services.openssh = mkIf cfg.enable {
60 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually 132 hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
61 settings = { 133 settings = {
62 Ciphers = [ 134 inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubKeyAcceptedAlgorithms;
63 "chacha20-poly1305@openssh.com"
64 "aes256-gcm@openssh.com"
65 "aes256-ctr"
66 ];
67 Macs = [
68 "umac-128-etm@openssh.com"
69 "hmac-sha2-256-etm@openssh.com"
70 "hmac-sha2-512-etm@openssh.com"
71 "umac-128@openssh.com"
72 "hmac-sha2-256"
73 "hmac-sha2-512"
74 "umac-64-etm@openssh.com"
75 "umac-64@openssh.com"
76 ];
77 KexAlgorithms = [
78 "sntrup761x25519-sha512@openssh.com"
79 "curve25519-sha256"
80 "curve25519-sha256@libssh.org"
81 "diffie-hellman-group-exchange-sha256"
82 ];
83 HostKeyAlgorithms = [
84 "sk-ssh-ed25519-cert-v01@openssh.com"
85 "ssh-ed25519-cert-v01@openssh.com"
86 "rsa-sha2-256-cert-v01@openssh.com"
87 "rsa-sha2-512-cert-v01@openssh.com"
88 "sk-ssh-ed25519@openssh.com"
89 "ssh-ed25519"
90 "rsa-sha2-256"
91 "rsa-sha2-512"
92 ];
93 CASignatureAlgorithms = [
94 "sk-ssh-ed25519@openssh.com"
95 "ssh-ed25519"
96 "rsa-sha2-256"
97 "rsa-sha2-512"
98 ];
99 135
100 LogLevel = "VERBOSE"; 136 LogLevel = "VERBOSE";
101 RevokedKeys = "/etc/ssh/krl.bin"; 137 RevokedKeys = "/etc/ssh/krl.bin";
@@ -124,49 +160,15 @@ in {
124 ./known-hosts/borgbase.keys 160 ./known-hosts/borgbase.keys
125 ]; 161 ];
126 162
127 ciphers = [ 163 ciphers = Ciphers;
128 "chacha20-poly1305@openssh.com" 164 macs = Macs;
129 "aes256-gcm@openssh.com" 165 kexAlgorithms = KexAlgorithms;
130 "aes256-ctr" 166 hostKeyAlgorithms = HostKeyAlgorithms;
131 ]; 167 pubkeyAcceptedKeyTypes = PubKeyAcceptedAlgorithms;
132 macs = [
133 "umac-128-etm@openssh.com"
134 "hmac-sha2-256-etm@openssh.com"
135 "hmac-sha2-512-etm@openssh.com"
136 "umac-128@openssh.com"
137 "hmac-sha2-256"
138 "hmac-sha2-512"
139 "umac-64-etm@openssh.com"
140 "umac-64@openssh.com"
141 ];
142 kexAlgorithms = [
143 "sntrup761x25519-sha512@openssh.com"
144 "curve25519-sha256"
145 "curve25519-sha256@libssh.org"
146 "diffie-hellman-group-exchange-sha256"
147 ];
148 hostKeyAlgorithms = [
149 "sk-ssh-ed25519-cert-v01@openssh.com"
150 "ssh-ed25519-cert-v01@openssh.com"
151 "rsa-sha2-256-cert-v01@openssh.com"
152 "rsa-sha2-512-cert-v01@openssh.com"
153 "sk-ssh-ed25519@openssh.com"
154 "ssh-ed25519"
155 "rsa-sha2-256"
156 "rsa-sha2-512"
157 ];
158 pubkeyAcceptedKeyTypes = [
159 "ssh-ed25519-cert-v01@openssh.com"
160 "sk-ssh-ed25519-cert-v01@openssh.com"
161 "rsa-sha2-512-cert-v01@openssh.com"
162 "rsa-sha2-256-cert-v01@openssh.com"
163 "ssh-ed25519"
164 "ssh-rsa"
165 ];
166 168
167 extraConfig = '' 169 extraConfig = ''
168 Host * 170 Host *
169 CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 171 CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms}
170 PasswordAuthentication no 172 PasswordAuthentication no
171 KbdInteractiveAuthentication no 173 KbdInteractiveAuthentication no
172 ''; 174 '';