From bbefd70784df8580d34c868858c61462b1b2d616 Mon Sep 17 00:00:00 2001
From: Yarny0 <41838844+Yarny0@users.noreply.github.com>
Date: Tue, 15 Aug 2023 14:44:16 +0200
Subject: nixos/sshd: avoid mock host key, permit `RequiredRSASize`

With this commit, the validation of `sshd_config`
is performed with `sshd -G` instead of `sshd -t`.
The former does not require a valid host key.
Checking the host key was never useful for us:
We just generated a dummy host key to
make the validation mechanism happy.
With this change the dummy key is no longer needed.

This change not only saves some CPU cycles
(avoid the generation of an RSA key),
but it also permits to set `RequiredRSASize` to a value
larger than the current rsa key default size (3072).
---
 nixos/modules/services/networking/ssh/sshd.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'nixos/modules')

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index e75239e059d3b..702423ef09cd0 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -33,8 +33,7 @@ let
     ${cfg.extraConfig}
     EOL
 
-    ssh-keygen -q -f mock-hostkey -N ""
-    sshd -t -f $out -h mock-hostkey
+    sshd -G -f $out
   '';
 
   cfg  = config.services.openssh;
-- 
cgit 1.4.1