diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1803.xml | 23 | ||||
-rw-r--r-- | nixos/modules/services/misc/matrix-synapse.nix | 25 | ||||
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 26 |
3 files changed, 53 insertions, 21 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml index c1fe692ceecba..b0e29182127ef 100644 --- a/nixos/doc/manual/release-notes/rl-1803.xml +++ b/nixos/doc/manual/release-notes/rl-1803.xml @@ -72,6 +72,29 @@ following incompatible changes:</para> <option>services.pgmanage</option>. </para> </listitem> + <listitem> + <para> + <emphasis role="strong"> + The OpenSSH service no longer enables support for DSA keys by default, + which could cause a system lock out. Update your keys or, unfavorably, + re-enable DSA support manually. + </emphasis> + </para> + + <para> + DSA support was + <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>, + due to it being too weak. To re-enable support, add + <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your + <option>services.openssh.extraConfig</option>. + </para> + + <para> + After updating the keys to be stronger, anyone still on a pre-17.03 + version is safe to jump to 17.03, as vetted + <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/services/misc/matrix-synapse.nix b/nixos/modules/services/misc/matrix-synapse.nix index a3ec0ea59f8f0..11463cf4500a9 100644 --- a/nixos/modules/services/misc/matrix-synapse.nix +++ b/nixos/modules/services/misc/matrix-synapse.nix @@ -44,7 +44,6 @@ database: { } event_cache_size: "${cfg.event_cache_size}" verbose: ${cfg.verbose} -log_file: "/var/log/matrix-synapse/homeserver.log" log_config: "${logConfigFile}" rc_messages_per_second: ${cfg.rc_messages_per_second} rc_message_burst_count: ${cfg.rc_message_burst_count} @@ -53,8 +52,8 @@ federation_rc_sleep_limit: ${cfg.federation_rc_sleep_limit} federation_rc_sleep_delay: ${cfg.federation_rc_sleep_delay} federation_rc_reject_limit: ${cfg.federation_rc_reject_limit} federation_rc_concurrent: ${cfg.federation_rc_concurrent} -media_store_path: "/var/lib/matrix-synapse/media" -uploads_path: "/var/lib/matrix-synapse/uploads" +media_store_path: "${cfg.dataDir}/media" +uploads_path: "${cfg.dataDir}/uploads" max_upload_size: "${cfg.max_upload_size}" max_image_pixels: "${cfg.max_image_pixels}" dynamic_thumbnails: ${boolToString cfg.dynamic_thumbnails} @@ -86,7 +85,7 @@ ${optionalString (cfg.macaroon_secret_key != null) '' expire_access_token: ${boolToString cfg.expire_access_token} enable_metrics: ${boolToString cfg.enable_metrics} report_stats: ${boolToString cfg.report_stats} -signing_key_path: "/var/lib/matrix-synapse/homeserver.signing.key" +signing_key_path: "${cfg.dataDir}/homeserver.signing.key" key_refresh_interval: "${cfg.key_refresh_interval}" perspectives: servers: { @@ -348,7 +347,7 @@ in { database_args = mkOption { type = types.attrs; default = { - database = "/var/lib/matrix-synapse/homeserver.db"; + database = "${cfg.dataDir}/homeserver.db"; }; description = '' Arguments to pass to the engine. @@ -586,6 +585,14 @@ in { A yaml python logging config file ''; }; + dataDir = mkOption { + type = types.str; + default = "/var/lib/matrix-synapse"; + description = '' + The directory where matrix-synapse stores its stateful data such as + certificates, media and uploads. + ''; + }; }; }; @@ -593,7 +600,7 @@ in { users.extraUsers = [ { name = "matrix-synapse"; group = "matrix-synapse"; - home = "/var/lib/matrix-synapse"; + home = cfg.dataDir; createHome = true; shell = "${pkgs.bash}/bin/bash"; uid = config.ids.uids.matrix-synapse; @@ -611,16 +618,16 @@ in { preStart = '' ${cfg.package}/bin/homeserver \ --config-path ${configFile} \ - --keys-directory /var/lib/matrix-synapse \ + --keys-directory ${cfg.dataDir} \ --generate-keys ''; serviceConfig = { Type = "simple"; User = "matrix-synapse"; Group = "matrix-synapse"; - WorkingDirectory = "/var/lib/matrix-synapse"; + WorkingDirectory = cfg.dataDir; PermissionsStartOnly = true; - ExecStart = "${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory /var/lib/matrix-synapse"; + ExecStart = "${cfg.package}/bin/homeserver --config-path ${configFile} --keys-directory ${cfg.dataDir}"; Restart = "on-failure"; }; }; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 8828429a8178b..6c4dcfeda064b 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -54,8 +54,6 @@ let )); in listToAttrs (map mkAuthKeyFile usersWithKeys); - supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07"; - in { @@ -191,9 +189,6 @@ in default = [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ] ++ optionals supportOldHostKeys - [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; } - { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; } ]; description = '' NixOS can automatically generate SSH host keys. This option @@ -363,14 +358,21 @@ in HostKey ${k.path} '')} - # Allow DSA client keys for now. (These were deprecated - # in OpenSSH 7.0.) - PubkeyAcceptedKeyTypes +ssh-dss + ### Recommended settings from both: + # https://stribika.github.io/2015/01/04/secure-secure-shell.html + # and + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 - # Re-enable DSA host keys for now. - ${optionalString supportOldHostKeys '' - HostKeyAlgorithms +ssh-dss - ''} + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + + # LogLevel VERBOSE logs user's key fingerprint on login. + # Needed to have a clear audit track of which key was used to log in. + LogLevel VERBOSE + + # Use kernel sandbox mechanisms where possible in unprivileged processes. + UsePrivilegeSeparation sandbox ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; |