nixos/sshd: avoid mock host key, permit `RequiredRSASize`

With this commit, the validation of `sshd_config` is performed with `sshd -G` instead of `sshd -t`. The former does not require a valid host key. Checking the host key was never useful for us: We just generated a dummy host key to make the validation mechanism happy. With this change the dummy key is no longer needed. This change not only saves some CPU cycles (avoid the generation of an RSA key), but it also permits to set `RequiredRSASize` to a value larger than the current rsa key default size (3072).
author: Yarny0 <41838844+Yarny0@users.noreply.github.com> 2023-08-15 14:44:16 +0200
committer: Yarny0 <41838844+Yarny0@users.noreply.github.com> 2023-09-05 11:34:09 +0200
commit: bbefd70784df8580d34c868858c61462b1b2d616 (patch)
tree: bf2d621f217bc3f49176a533509d68c1d9b34eca /nixos/modules
parent: e56990880811a451abd32515698c712788be5720 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index e75239e059d3b..702423ef09cd0 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -33,8 +33,7 @@ let
     ${cfg.extraConfig}
     EOL
 
-    ssh-keygen -q -f mock-hostkey -N ""
-    sshd -t -f $out -h mock-hostkey
+    sshd -G -f $out
   '';
 
   cfg  = config.services.openssh;
author	Yarny0 <41838844+Yarny0@users.noreply.github.com>	2023-08-15 14:44:16 +0200
committer	Yarny0 <41838844+Yarny0@users.noreply.github.com>	2023-09-05 11:34:09 +0200
commit	bbefd70784df8580d34c868858c61462b1b2d616 (patch)
tree	bf2d621f217bc3f49176a533509d68c1d9b34eca /nixos/modules
parent	e56990880811a451abd32515698c712788be5720 (diff)