openssh: move Kerberos support into a dedicated package

The `openssh` and `openssh_hpn` packages are now built without
the Kerberos support by default in an effort to reduce the attack surface.

The Kerberos support is likely used only by a fraction of the total users
(I'm guessing mainly users integrating SSH in an Active Directory env) so
dropping it should not impact too many users. It should also be noted that
the Kerberos/GSSAPI auth is disabled by default in the configuration.
`opensshWithKerberos` and `openssh_hpnWithKerberos` are added in order
to provide an easy migration path for users needing this support.

The `openssh_gssapi` package is kept untouched.

1 files changed, 4 insertions, 0 deletions

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index f69a35f0ffedc..1e4e34a4f1675 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -715,6 +715,10 @@ in
 
     assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true;
                     message = "cannot enable X11 forwarding without setting xauth location";}
+                  { assertion = (builtins.match "(.*\n)?(\t )*[Kk][Ee][Rr][Bb][Ee][Rr][Oo][Ss][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}") != null -> cfgc.package.withKerberos;
+                    message = "cannot enable Kerberos authentication without using a package with Kerberos support";}
+                  { assertion = (builtins.match "(.*\n)?(\t )*[Gg][Ss][Ss][Aa][Pp][Ii][Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn][ |\t|=|\"]+yes.*" "${configFile}\n${cfg.extraConfig}") != null -> cfgc.package.withKerberos;
+                    message = "cannot enable GSSAPI authentication without using a package with Kerberos support";}
                   (let
                     duplicates =
                       # Filter out the groups with more than 1 element