ssh: deprecate use of old DSA keys

They are not safe and shouldn't be used.
2016-10-06 14:37:38 +08:00 · 2016-10-06 14:37:38 +08:00 · 65b73d71cb
parent 2fdfefa2da
commit 65b73d71cb
1 changed files with 2 additions and 5 deletions
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -363,12 +363,9 @@ in
          HostKey ${k.path}
        '')}

-        # Allow DSA client keys for now. (These were deprecated
-        # in OpenSSH 7.0.)
-        PubkeyAcceptedKeyTypes +ssh-dss
-
-        # Re-enable DSA host keys for now.
        ${optionalString supportOldHostKeys ''
+          # Allow DSA keys for now. (deprecated in OpenSSH 7.0)
+          PubkeyAcceptedKeyTypes +ssh-dss
          HostKeyAlgorithms +ssh-dss
        ''}
      '';