...

author: Gregor Kleen <gkleen@yggdrasil.li> 2023-03-20 11:51:00 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2023-03-20 11:51:00 +0100
commit: 89749d73a82bd0bfdfa225be06a6db8e82371ff4 (patch)
tree: a4a165b5072fa18331493b136766dda1b1014897 /system-profiles
parent: e46c80fd66956713569be4bec940b958d235e451 (diff)
download: nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar
nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar.gz
nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar.bz2
nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar.xz
nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.zip
2 files changed, 39 insertions, 7 deletions
diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix
index 18a50cbf..2e75a8c4 100644
--- a/system-profiles/initrd-ssh/module.nix
+++ b/system-profiles/initrd-ssh/module.nix
@@ -116,7 +116,7 @@ in
      Port ${toString cfg.port}
      PasswordAuthentication no
-      ChallengeResponseAuthentication no
+      KbdInteractiveAuthentication no
      ${flip concatMapStrings cfg.hostKeys (path: ''
        HostKey ${initrdKeyPath path}
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index cc4ecdf0..8f0bd11b 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -8,7 +8,7 @@ in {
  options = {
    services.openssh.staticHostKeys = mkOption {
      type = types.bool;
-      default = true;
+      default = pathExists (./host-keys + "/${hostName}.yaml");
    };
  };
@@ -18,13 +18,45 @@ in {
    services.openssh = mkIf cfg.enable {
      hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
      settings = {
-        Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];
+        Ciphers = [
-        Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];
+          "chacha20-poly1305@openssh.com"
-        KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];
+          "aes256-gcm@openssh.com"
+          "aes256-ctr"
+        ];
+        Macs = [
+          "hmac-sha2-256-etm@openssh.com"
+          "hmac-sha2-256"
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-512"
+        ];
+        KexAlgorithms = [
+          "sntrup761x25519-sha512@openssh.com"
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+        HostKeyAlgorithms = concatStringsSep "," [
+          "sk-ssh-ed25519-cert-v01@openssh.com"
+          "ssh-ed25519-cert-v01@openssh.com"
+          "rsa-sha2-256-cert-v01@openssh.com"
+          "rsa-sha2-512-cert-v01@openssh.com"
+          "sk-ssh-ed25519@openssh.com"
+          "ssh-ed25519"
+          "rsa-sha2-256"
+          "rsa-sha2-512"
+        ];
+        CASignatureAlgorithms = concatStringsSep "," [
+          "sk-ssh-ed25519@openssh.com"
+          "ssh-ed25519"
+          "rsa-sha2-256"
+          "rsa-sha2-512"
+        ];
        LogLevel = "VERBOSE";
-        HostKeyAlgorithms = "sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
-        CASignatureAlgorithms = "sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
        RevokedKeys = "/etc/ssh/krl.bin";
+        PasswordAuthentication = mkDefault false;
+        KbdInteractiveAuthentication = mkDefault false;
      };
      moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
      extraConfig = ''
author	Gregor Kleen <gkleen@yggdrasil.li>	2023-03-20 11:51:00 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2023-03-20 11:51:00 +0100
commit	89749d73a82bd0bfdfa225be06a6db8e82371ff4 (patch)
tree	a4a165b5072fa18331493b136766dda1b1014897 /system-profiles
parent	e46c80fd66956713569be4bec940b958d235e451 (diff)
download	nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar.gz nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar.bz2 nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.tar.xz nixos-89749d73a82bd0bfdfa225be06a6db8e82371ff4.zip

diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix index 18a50cbf..2e75a8c4 100644 --- a/system-profiles/initrd-ssh/module.nix +++ b/system-profiles/initrd-ssh/module.nix
@@ -116,7 +116,7 @@ in
116	Port ${toString cfg.port}	116	Port ${toString cfg.port}
117		117
118	PasswordAuthentication no	118	PasswordAuthentication no
119	ChallengeResponseAuthentication no	119	KbdInteractiveAuthentication no
120		120
121	${flip concatMapStrings cfg.hostKeys (path: ''	121	${flip concatMapStrings cfg.hostKeys (path: ''
122	HostKey ${initrdKeyPath path}	122	HostKey ${initrdKeyPath path}


diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index cc4ecdf0..8f0bd11b 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix
@@ -8,7 +8,7 @@ in {
8	options = {	8	options = {
9	services.openssh.staticHostKeys = mkOption {	9	services.openssh.staticHostKeys = mkOption {
10	type = types.bool;	10	type = types.bool;
11	default = true;	11	default = pathExists (./host-keys + "/${hostName}.yaml");
12	};	12	};
13	};	13	};
14		14
@@ -18,13 +18,45 @@ in {
18	services.openssh = mkIf cfg.enable {	18	services.openssh = mkIf cfg.enable {
19	hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually	19	hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
20	settings = {	20	settings = {
21	Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ];	21	Ciphers = [
22	Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ];	22	"chacha20-poly1305@openssh.com"
23	KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ];	23	"aes256-gcm@openssh.com"
		24	"aes256-ctr"
		25	];
		26	Macs = [
		27	"hmac-sha2-256-etm@openssh.com"
		28	"hmac-sha2-256"
		29	"hmac-sha2-512-etm@openssh.com"
		30	"hmac-sha2-512"
		31	];
		32	KexAlgorithms = [
		33	"sntrup761x25519-sha512@openssh.com"
		34	"curve25519-sha256"
		35	"curve25519-sha256@libssh.org"
		36	"diffie-hellman-group-exchange-sha256"
		37	];
		38	HostKeyAlgorithms = concatStringsSep "," [
		39	"sk-ssh-ed25519-cert-v01@openssh.com"
		40	"ssh-ed25519-cert-v01@openssh.com"
		41	"rsa-sha2-256-cert-v01@openssh.com"
		42	"rsa-sha2-512-cert-v01@openssh.com"
		43	"sk-ssh-ed25519@openssh.com"
		44	"ssh-ed25519"
		45	"rsa-sha2-256"
		46	"rsa-sha2-512"
		47	];
		48	CASignatureAlgorithms = concatStringsSep "," [
		49	"sk-ssh-ed25519@openssh.com"
		50	"ssh-ed25519"
		51	"rsa-sha2-256"
		52	"rsa-sha2-512"
		53	];
		54
24	LogLevel = "VERBOSE";	55	LogLevel = "VERBOSE";
25	HostKeyAlgorithms = "sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
26	CASignatureAlgorithms = "sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512";
27	RevokedKeys = "/etc/ssh/krl.bin";	56	RevokedKeys = "/etc/ssh/krl.bin";
		57
		58	PasswordAuthentication = mkDefault false;
		59	KbdInteractiveAuthentication = mkDefault false;
28	};	60	};
29	moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;	61	moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path;
30	extraConfig = ''	62	extraConfig = ''