From 9e0f84316df0504d73320495c51fe3bd7f968e7d Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 12:01:42 +0100 Subject: ... --- hosts/eostre/default.nix | 1 + system-profiles/openssh/default.nix | 102 ++++++++++++++++++++++++++++++++---- 2 files changed, 92 insertions(+), 11 deletions(-) diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix index 2752d136..b6864833 100644 --- a/hosts/eostre/default.nix +++ b/hosts/eostre/default.nix @@ -100,6 +100,7 @@ with lib; services.openssh = { enable = true; + startWhenNeeded = true; settings = { PasswordAuthentication = true; KbdInteractiveAuthentication = true; diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 8f0bd11b..8960fbb0 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -6,9 +6,50 @@ let cfg = config.services.openssh; in { options = { - services.openssh.staticHostKeys = mkOption { - type = types.bool; - default = pathExists (./host-keys + "/${hostName}.yaml"); + services.openssh = { + staticHostKeys = mkOption { + type = types.bool; + default = pathExists (./host-keys + "/${hostName}.yaml"); + }; + settings.HostKeyAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "ssh-ed25519" + "ssh-ed25519-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "sk-ssh-ed25519-cert-v01@openssh.com" + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp256-cert-v01@openssh.com" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp384-cert-v01@openssh.com" + "ecdsa-sha2-nistp521" + "ecdsa-sha2-nistp521-cert-v01@openssh.com" + "sk-ecdsa-sha2-nistp256@openssh.com" + "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" + "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" + "ssh-dss" + "ssh-dss-cert-v01@openssh.com" + "ssh-rsa" + "ssh-rsa-cert-v01@openssh.com" + "rsa-sha2-256" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512" + "rsa-sha2-512-cert-v01@openssh.com" + ]; + }; + settings.CASignatureAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "ssh-ed25519" + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp521" + "sk-ssh-ed25519@openssh.com" + "sk-ecdsa-sha2-nistp256@openssh.com" + "rsa-sha2-512" + "rsa-sha2-256" + ]; + }; }; }; @@ -24,10 +65,14 @@ in { "aes256-ctr" ]; Macs = [ + "umac-128-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" - "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" + "umac-128@openssh.com" + "hmac-sha2-256" "hmac-sha2-512" + "umac-64-etm@openssh.com" + "umac-64@openssh.com" ]; KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" @@ -35,7 +80,7 @@ in { "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; - HostKeyAlgorithms = concatStringsSep "," [ + HostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" @@ -45,7 +90,7 @@ in { "rsa-sha2-256" "rsa-sha2-512" ]; - CASignatureAlgorithms = concatStringsSep "," [ + CASignatureAlgorithms = [ "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" @@ -79,11 +124,46 @@ in { ./known-hosts/borgbase.keys ]; - ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; - hostKeyAlgorithms = [ "sk-ssh-ed25519-cert-v01@openssh.com" "ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "rsa-sha2-256" "rsa-sha2-512" ]; - kexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; - macs = [ "umac-128-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128@openssh.com" "hmac-sha2-256" "hmac-sha2-512" "umac-64-etm@openssh.com" "umac-64@openssh.com"]; - pubkeyAcceptedKeyTypes = [ "ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "rsa-sha2-512-cert-v01@openssh.com" "rsa-sha2-256-cert-v01@openssh.com" "ssh-ed25519" "ssh-rsa" ]; + ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes256-ctr" + ]; + macs = [ + "umac-128-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "hmac-sha2-512-etm@openssh.com" + "umac-128@openssh.com" + "hmac-sha2-256" + "hmac-sha2-512" + "umac-64-etm@openssh.com" + "umac-64@openssh.com" + ]; + kexAlgorithms = [ + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + hostKeyAlgorithms = [ + "sk-ssh-ed25519-cert-v01@openssh.com" + "ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + pubkeyAcceptedKeyTypes = [ + "ssh-ed25519-cert-v01@openssh.com" + "sk-ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-512-cert-v01@openssh.com" + "rsa-sha2-256-cert-v01@openssh.com" + "ssh-ed25519" + "ssh-rsa" + ]; + extraConfig = '' Host * CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 -- cgit v1.2.3