Merge branch 'master' into staging

* master: (80 commits) lkl: Supports aarch64 wimlib: nitpicks gitAndTools.git-codeowners: 0.1.1 -> 0.1.2 wimlib: init at 1.12.0 kernel: improve modDirVersion error message releaseTools.sourceTarball: Clean up temporary files dotnetPackages.SmartIrc4net: rehash source migmix: make it a fixed-output derivation vm: Create /dev/full samba: 4.6.8 -> 4.6.11 to address CVEs CVE-2017-14746 & CVE-2017-15275 microcodeIntel: 20170707 -> 20171117 sshd: Remove ripemd160 MACs kernel config: Enable MEDIA_CONTROLLER linux: 4.4.99 -> 4.4.100 linux: 4.9.63 -> 4.9.64 nix-bash-completions: 0.4 -> 0.5 linux: 4.14 -> 4.14.1 linux: 4.13.14 -> 4.13.15 nix-zsh-completions: 0.3.3 -> 0.3.5 dns-root-data: use a stable URL that I maintain anyway ...
author: Orivej Desh <orivej@gmx.fr> 2017-11-21 22:48:36 +0000
committer: Orivej Desh <orivej@gmx.fr> 2017-11-21 22:48:36 +0000
commit: b8e1e7191e99af29125fbb37f42cb68f43af800c (patch)
tree: 1ca52bd4c93d50473ebdb7cebc7721140e84a924 /nixos
parent: 71a2a5ae40b2b94150365bb846fb78b620562df8 (diff)
parent: 91d2cf96424cc5209d3cf799bc2b4fa52af34596 (diff)
3 files changed, 40 insertions, 14 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
index c1fe692ceecba..b0e29182127ef 100644
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -72,6 +72,29 @@ following incompatible changes:</para>
       <option>services.pgmanage</option>.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      <emphasis role="strong">
+        The OpenSSH service no longer enables support for DSA keys by default,
+        which could cause a system lock out. Update your keys or, unfavorably,
+        re-enable DSA support manually.
+      </emphasis>
+    </para>
+
+    <para>
+      DSA support was
+      <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>,
+      due to it being too weak. To re-enable support, add
+      <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your
+      <option>services.openssh.extraConfig</option>.
+    </para>
+
+    <para>
+      After updating the keys to be stronger, anyone still on a pre-17.03
+      version is safe to jump to 17.03, as vetted
+      <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>.
+    </para>
+  </listitem>
 </itemizedlist>
 
 </section>
diff --git a/nixos/modules/programs/bash/bash.nix b/nixos/modules/programs/bash/bash.nix
index e23849d350b4c..ef1acdfe66e60 100644
--- a/nixos/modules/programs/bash/bash.nix
+++ b/nixos/modules/programs/bash/bash.nix
@@ -197,8 +197,9 @@ in
         fi
       '';
 
-    # Configuration for readline in bash.
-    environment.etc."inputrc".source = ./inputrc;
+    # Configuration for readline in bash. We use "option default"
+    # priority to allow user override using both .text and .source.
+    environment.etc."inputrc".source = mkOptionDefault ./inputrc;
 
     users.defaultUserShell = mkDefault pkgs.bashInteractive;
 
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 8828429a8178b..f0fddcca766f0 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -54,8 +54,6 @@ let
     ));
   in listToAttrs (map mkAuthKeyFile usersWithKeys);
 
-  supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
-
 in
 
 {
@@ -191,9 +189,6 @@ in
         default =
           [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
             { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-          ] ++ optionals supportOldHostKeys
-          [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
-            { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
           ];
         description = ''
           NixOS can automatically generate SSH host keys.  This option
@@ -363,14 +358,21 @@ in
           HostKey ${k.path}
         '')}
 
-        # Allow DSA client keys for now. (These were deprecated
-        # in OpenSSH 7.0.)
-        PubkeyAcceptedKeyTypes +ssh-dss
+        ### Recommended settings from both:
+        # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+        # and
+        # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
 
-        # Re-enable DSA host keys for now.
-        ${optionalString supportOldHostKeys ''
-          HostKeyAlgorithms +ssh-dss
-        ''}
+        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+        # LogLevel VERBOSE logs user's key fingerprint on login.
+        # Needed to have a clear audit track of which key was used to log in.
+        LogLevel VERBOSE
+
+        # Use kernel sandbox mechanisms where possible in unprivileged processes.
+        UsePrivilegeSeparation sandbox
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
author	Orivej Desh <orivej@gmx.fr>	2017-11-21 22:48:36 +0000
committer	Orivej Desh <orivej@gmx.fr>	2017-11-21 22:48:36 +0000
commit	b8e1e7191e99af29125fbb37f42cb68f43af800c (patch)
tree	1ca52bd4c93d50473ebdb7cebc7721140e84a924 /nixos
parent	71a2a5ae40b2b94150365bb846fb78b620562df8 (diff)
parent	91d2cf96424cc5209d3cf799bc2b4fa52af34596 (diff)