From 247ed8fb020b0fc8680d7b811a26a690d5bf8e43 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 12:05:40 +0100 Subject: ... --- system-profiles/openssh/default.nix | 156 ++++++++++++++++++------------------ 1 file changed, 79 insertions(+), 77 deletions(-) (limited to 'system-profiles') diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index 8960fbb0..a989733f 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -4,6 +4,52 @@ with lib; let cfg = config.services.openssh; + + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes256-ctr" + ]; + Macs = [ + "umac-128-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "hmac-sha2-512-etm@openssh.com" + "umac-128@openssh.com" + "hmac-sha2-256" + "hmac-sha2-512" + "umac-64-etm@openssh.com" + "umac-64@openssh.com" + ]; + KexAlgorithms = [ + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + HostKeyAlgorithms = [ + "sk-ssh-ed25519-cert-v01@openssh.com" + "ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + CASignatureAlgorithms = [ + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + PubkeyAcceptedAlgorithms = [ + "ssh-ed25519-cert-v01@openssh.com" + "sk-ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-512-cert-v01@openssh.com" + "rsa-sha2-256-cert-v01@openssh.com" + "ssh-ed25519" + "ssh-rsa" + ]; in { options = { services.openssh = { @@ -50,6 +96,32 @@ in { "rsa-sha2-256" ]; }; + settings.PubkeyAcceptedAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "ssh-ed25519" + "ssh-ed25519-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "sk-ssh-ed25519-cert-v01@openssh.com" + "ecdsa-sha2-nistp256" + "ecdsa-sha2-nistp256-cert-v01@openssh.com" + "ecdsa-sha2-nistp384" + "ecdsa-sha2-nistp384-cert-v01@openssh.com" + "ecdsa-sha2-nistp521" + "ecdsa-sha2-nistp521-cert-v01@openssh.com" + "sk-ecdsa-sha2-nistp256@openssh.com" + "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" + "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" + "ssh-dss" + "ssh-dss-cert-v01@openssh.com" + "ssh-rsa" + "ssh-rsa-cert-v01@openssh.com" + "rsa-sha2-256" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512" + "rsa-sha2-512-cert-v01@openssh.com" + ]; + }; }; }; @@ -59,43 +131,7 @@ in { services.openssh = mkIf cfg.enable { hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually settings = { - Ciphers = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes256-ctr" - ]; - Macs = [ - "umac-128-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "hmac-sha2-512-etm@openssh.com" - "umac-128@openssh.com" - "hmac-sha2-256" - "hmac-sha2-512" - "umac-64-etm@openssh.com" - "umac-64@openssh.com" - ]; - KexAlgorithms = [ - "sntrup761x25519-sha512@openssh.com" - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group-exchange-sha256" - ]; - HostKeyAlgorithms = [ - "sk-ssh-ed25519-cert-v01@openssh.com" - "ssh-ed25519-cert-v01@openssh.com" - "rsa-sha2-256-cert-v01@openssh.com" - "rsa-sha2-512-cert-v01@openssh.com" - "sk-ssh-ed25519@openssh.com" - "ssh-ed25519" - "rsa-sha2-256" - "rsa-sha2-512" - ]; - CASignatureAlgorithms = [ - "sk-ssh-ed25519@openssh.com" - "ssh-ed25519" - "rsa-sha2-256" - "rsa-sha2-512" - ]; + inherit Ciphers Macs KexAlgorithms HostKeyAlgorithms CASignatureAlgorithms PubKeyAcceptedAlgorithms; LogLevel = "VERBOSE"; RevokedKeys = "/etc/ssh/krl.bin"; @@ -124,49 +160,15 @@ in { ./known-hosts/borgbase.keys ]; - ciphers = [ - "chacha20-poly1305@openssh.com" - "aes256-gcm@openssh.com" - "aes256-ctr" - ]; - macs = [ - "umac-128-etm@openssh.com" - "hmac-sha2-256-etm@openssh.com" - "hmac-sha2-512-etm@openssh.com" - "umac-128@openssh.com" - "hmac-sha2-256" - "hmac-sha2-512" - "umac-64-etm@openssh.com" - "umac-64@openssh.com" - ]; - kexAlgorithms = [ - "sntrup761x25519-sha512@openssh.com" - "curve25519-sha256" - "curve25519-sha256@libssh.org" - "diffie-hellman-group-exchange-sha256" - ]; - hostKeyAlgorithms = [ - "sk-ssh-ed25519-cert-v01@openssh.com" - "ssh-ed25519-cert-v01@openssh.com" - "rsa-sha2-256-cert-v01@openssh.com" - "rsa-sha2-512-cert-v01@openssh.com" - "sk-ssh-ed25519@openssh.com" - "ssh-ed25519" - "rsa-sha2-256" - "rsa-sha2-512" - ]; - pubkeyAcceptedKeyTypes = [ - "ssh-ed25519-cert-v01@openssh.com" - "sk-ssh-ed25519-cert-v01@openssh.com" - "rsa-sha2-512-cert-v01@openssh.com" - "rsa-sha2-256-cert-v01@openssh.com" - "ssh-ed25519" - "ssh-rsa" - ]; + ciphers = Ciphers; + macs = Macs; + kexAlgorithms = KexAlgorithms; + hostKeyAlgorithms = HostKeyAlgorithms; + pubkeyAcceptedKeyTypes = PubKeyAcceptedAlgorithms; extraConfig = '' Host * - CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512 + CASignatureAlgorithms ${concatStringsSep "," CASignatureAlgorithms} PasswordAuthentication no KbdInteractiveAuthentication no ''; -- cgit v1.2.3