diff options
Diffstat (limited to 'nixos/modules/services/networking/ssh/sshd.nix')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 8828429a8178b..f0fddcca766f0 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -54,8 +54,6 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); - supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; - in { @@ -191,9 +189,6 @@ in default = [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ] ++ optionals supportOldHostKeys - [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } - { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } ]; description = '' NixOS can automatically generate SSH host keys. This option @@ -363,14 +358,21 @@ in HostKey ${k.path} '')} - # Allow DSA client keys for now. (These were deprecated - # in OpenSSH 7.0.) - PubkeyAcceptedKeyTypes +ssh-dss + ### Recommended settings from both: + # https://stribika.github.io/2015/01/04/secure-secure-shell.html + # and + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 - # Re-enable DSA host keys for now. - ${optionalString supportOldHostKeys '' - HostKeyAlgorithms +ssh-dss - ''} + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + + # LogLevel VERBOSE logs user's key fingerprint on login. + # Needed to have a clear audit track of which key was used to log in. + LogLevel VERBOSE + + # Use kernel sandbox mechanisms where possible in unprivileged processes. + UsePrivilegeSeparation sandbox ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; |