From 247ed8fb020b0fc8680d7b811a26a690d5bf8e43 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 20 Mar 2023 12:05:40 +0100
Subject: ...
---
system-profiles/openssh/default.nix | 156 ++++++++++++++++++------------------
1 file changed, 79 insertions(+), 77 deletions(-)
(limited to 'system-profiles')
diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix
index 8960fbb0..a989733f 100644
--- a/system-profiles/openssh/default.nix
+++ b/system-profiles/openssh/default.nix
@@ -4,6 +4,52 @@ with lib;
let
cfg = config.services.openssh;
+
+ Ciphers = [
+ "chacha20-poly1305@openssh.com"
+ "aes256-gcm@openssh.com"
+ "aes256-ctr"
+ ];
+ Macs = [
+ "umac-128-etm@openssh.com"
+ "hmac-sha2-256-etm@openssh.com"
+ "hmac-sha2-512-etm@openssh.com"
+ "umac-128@openssh.com"
+ "hmac-sha2-256"
+ "hmac-sha2-512"
+ "umac-64-etm@openssh.com"
+ "umac-64@openssh.com"
+ ];
+ KexAlgorithms = [
+ "sntrup761x25519-sha512@openssh.com"
+ "curve25519-sha256"
+ "curve25519-sha256@libssh.org"
+ "diffie-hellman-group-exchange-sha256"
+ ];
+ HostKeyAlgorithms = [
+ "sk-ssh-ed25519-cert-v01@openssh.com"
+ "ssh-ed25519-cert-v01@openssh.com"
+ "rsa-sha2-256-cert-v01@openssh.com"
+ "rsa-sha2-512-cert-v01@openssh.com"
+ "sk-ssh-ed25519@openssh.com"
+ "ssh-ed25519"
+ "rsa-sha2-256"
+ "rsa-sha2-512"
+ ];
+ CASignatureAlgorithms = [
+ "sk-ssh-ed25519@openssh.com"
+ "ssh-ed25519"
+ "rsa-sha2-256"
+ "rsa-sha2-512"
+ ];
+ PubkeyAcceptedAlgorithms = [
+ "ssh-ed25519-cert-v01@openssh.com"
+ "sk-ssh-ed25519-cert-v01@openssh.com"
+ "rsa-sha2-512-cert-v01@openssh.com"
+ "rsa-sha2-256-cert-v01@openssh.com"
+ "ssh-ed25519"
+ "ssh-rsa"
+ ];
in {
options = {
services.openssh = {
@@ -50,6 +96,32 @@ in {
"rsa-sha2-256"
];
};
+ settings.PubkeyAcceptedAlgorithms = mkOption {
+ type = types.listOf types.str;
+ default = [
+ "ssh-ed25519"
+ "ssh-ed25519-cert-v01@openssh.com"
+ "sk-ssh-ed25519@openssh.com"
+ "sk-ssh-ed25519-cert-v01@openssh.com"
+ "ecdsa-sha2-nistp256"
+ "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+ "ecdsa-sha2-nistp384"
+ "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+ "ecdsa-sha2-nistp521"
+ "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+ "sk-ecdsa-sha2-nistp256@openssh.com"
+ "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
+ "webauthn-sk-ecdsa-sha2-nistp256@openssh.com"
+ "ssh-dss"
+ "ssh-dss-cert-v01@openssh.com"
+ "ssh-rsa"
+ "ssh-rsa-cert-v01@openssh.com"
+ "rsa-sha2-256"
+ "rsa-sha2-256-cert-v01@openssh.com"
+ "rsa-sha2-512"
+ "rsa-sha2-512-cert-v01@openssh.com"
+ ];
+ };
};
};
@@ -59,43 +131,7 @@ in {
services.openssh = mkIf cfg.enable {
hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually
settings = {
- Ciphers = [
- "chacha20-poly1305@openssh.com"
- "aes256-gcm@openssh.com"
- "aes256-ctr"
- ];
- Macs = [
- "umac-128-etm@openssh.com"
- "hmac-sha2-256-etm@openssh.com"
- "hmac-sha2-512-etm@openssh.com"
- "umac-128@openssh.com"
- "hmac-sha2-256"
- "hmac-sha2-512"
- "umac-64-etm@openssh.com"
- "umac-64@openssh.com"
- ];
- KexAlgorithms = [
- "sntrup761x25519-sha512@openssh.com"
- "curve25519-sha256"
- "curve25519-sha256@libssh.org"
- "diffie-hellman-group-exchange-sha256"
- ];
- HostKeyAlgorithms = [
- "sk-ssh-ed25519-cert-v01@openssh.com"
- "ssh-ed25519-cert-v01@openssh.com"
- "rsa-sha2-256-cert-v01@openssh.com"
- "rsa-sha2-512-cert-v01@openssh.com"
- "sk-ssh-ed25519@openssh.com"
- "ssh-ed25519"
- "rsa-sha2-256"
- "rsa-sha2-512"
- ];
- CASignatureAlgorithms = [
- "sk-ssh-ed25519@openssh.com"
- "ssh-ed25519"
- "rsa-sha2-256"
- "rsa-sha2-512"
- ];
+ inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubKeyAcceptedAlgorithms;
LogLevel = "VERBOSE";
RevokedKeys = "/etc/ssh/krl.bin";
@@ -124,49 +160,15 @@ in {
./known-hosts/borgbase.keys
];
- ciphers = [
- "chacha20-poly1305@openssh.com"
- "aes256-gcm@openssh.com"
- "aes256-ctr"
- ];
- macs = [
- "umac-128-etm@openssh.com"
- "hmac-sha2-256-etm@openssh.com"
- "hmac-sha2-512-etm@openssh.com"
- "umac-128@openssh.com"
- "hmac-sha2-256"
- "hmac-sha2-512"
- "umac-64-etm@openssh.com"
- "umac-64@openssh.com"
- ];
- kexAlgorithms = [
- "sntrup761x25519-sha512@openssh.com"
- "curve25519-sha256"
- "curve25519-sha256@libssh.org"
- "diffie-hellman-group-exchange-sha256"
- ];
- hostKeyAlgorithms = [
- "sk-ssh-ed25519-cert-v01@openssh.com"
- "ssh-ed25519-cert-v01@openssh.com"
- "rsa-sha2-256-cert-v01@openssh.com"
- "rsa-sha2-512-cert-v01@openssh.com"
- "sk-ssh-ed25519@openssh.com"
- "ssh-ed25519"
- "rsa-sha2-256"
- "rsa-sha2-512"
- ];
- pubkeyAcceptedKeyTypes = [
- "ssh-ed25519-cert-v01@openssh.com"
- "sk-ssh-ed25519-cert-v01@openssh.com"
- "rsa-sha2-512-cert-v01@openssh.com"
- "rsa-sha2-256-cert-v01@openssh.com"
- "ssh-ed25519"
- "ssh-rsa"
- ];
+ ciphers = Ciphers;
+ macs = Macs;
+ kexAlgorithms = KexAlgorithms;
+ hostKeyAlgorithms = HostKeyAlgorithms;
+ pubkeyAcceptedKeyTypes = PubKeyAcceptedAlgorithms;
extraConfig = ''
Host *
- CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512
+ CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms}
PasswordAuthentication no
KbdInteractiveAuthentication no
'';
--
cgit v1.2.3