diff options
author | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2024-06-06 23:06:29 +1000 |
---|---|---|
committer | tomf <tom@tom-fitzhenry.me.uk> | 2024-06-08 15:03:08 +1000 |
commit | 9e4e5d96f16f7539ae8020b4b1ea71ddba9b6f3d (patch) | |
tree | 69d52d2df8f2ba34d4ed6e6f6b2fe8fefcc30330 | |
parent | 2542605888a650adf055af93f3d9a0dd0d2a93c0 (diff) |
tests/openssh: use upstream's algorithms in "no openssl" example
When I initially wrote this test, I wasn't aware that services.openssh could opt into using OpenSSH's default algorithms by just setting the relevant settings to null. That's a better approach since: * it's a simpler setting for this test to have to worry about * it introduces test coverage for the null case * the null case should be demonstrated as an example for those that want to compile without OpenSSL
-rw-r--r-- | nixos/tests/openssh.nix | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 3929522a39e73..d420c482ca7f2 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -120,12 +120,14 @@ in { { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; settings = { - # Must not specify the OpenSSL provided algorithms. - Ciphers = [ "chacha20-poly1305@openssh.com" ]; - KexAlgorithms = [ - "curve25519-sha256" - "curve25519-sha256@libssh.org" - ]; + # Since this test is against an OpenSSH-without-OpenSSL, + # we have to override NixOS's defaults ciphers (which require OpenSSL) + # and instead set these to null, which will mean OpenSSH uses its defaults. + # Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled + # without OpenSSL. + Ciphers = null; + KexAlgorithms = null; + Macs = null; }; }; users.users.root.openssh.authorizedKeys.keys = [ |