From 9e4e5d96f16f7539ae8020b4b1ea71ddba9b6f3d Mon Sep 17 00:00:00 2001
From: Tom Fitzhenry <tom@tom-fitzhenry.me.uk>
Date: Thu, 6 Jun 2024 23:06:29 +1000
Subject: tests/openssh: use upstream's algorithms in "no openssl" example

When I initially wrote this test, I wasn't aware that services.openssh
could opt into using OpenSSH's default algorithms by just setting the
relevant settings to null.

That's a better approach since:
* it's a simpler setting for this test to have to worry about
* it introduces test coverage for the null case
* the null case should be demonstrated as an example for those that
  want to compile without OpenSSL
---
 nixos/tests/openssh.nix | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'nixos/tests')

diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix
index 3929522a39e73..d420c482ca7f2 100644
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@@ -120,12 +120,14 @@ in {
             { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
           ];
           settings = {
-            # Must not specify the OpenSSL provided algorithms.
-            Ciphers = [ "chacha20-poly1305@openssh.com" ];
-            KexAlgorithms = [
-              "curve25519-sha256"
-              "curve25519-sha256@libssh.org"
-            ];
+            # Since this test is against an OpenSSH-without-OpenSSL,
+            # we have to override NixOS's defaults ciphers (which require OpenSSL)
+            # and instead set these to null, which will mean OpenSSH uses its defaults.
+            # Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled
+            # without OpenSSL.
+            Ciphers = null;
+            KexAlgorithms = null;
+            Macs = null;
           };
         };
         users.users.root.openssh.authorizedKeys.keys = [
-- 
cgit 1.4.1