From ec80c928255b3886aa2268398ccbbe4279004cff Mon Sep 17 00:00:00 2001
From: jeaye <contact@jeaye.com>
Date: Thu, 16 Nov 2017 20:16:06 -0800
Subject: [PATCH 1/3] nixos/ssh: Remove support for old host keys

---
 nixos/modules/services/networking/ssh/sshd.nix | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index 8828429a8178..a249f0142176 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -54,8 +54,6 @@ let
     ));
   in listToAttrs (map mkAuthKeyFile usersWithKeys);
 
-  supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
-
 in
 
 {
@@ -191,9 +189,6 @@ in
         default =
           [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
             { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-          ] ++ optionals supportOldHostKeys
-          [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
-            { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
           ];
         description = ''
           NixOS can automatically generate SSH host keys.  This option
@@ -363,14 +358,6 @@ in
           HostKey ${k.path}
         '')}
 
-        # Allow DSA client keys for now. (These were deprecated
-        # in OpenSSH 7.0.)
-        PubkeyAcceptedKeyTypes +ssh-dss
-
-        # Re-enable DSA host keys for now.
-        ${optionalString supportOldHostKeys ''
-          HostKeyAlgorithms +ssh-dss
-        ''}
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

From 2a8bd9e2a11a8e69448682d8f8289ea021246354 Mon Sep 17 00:00:00 2001
From: jeaye <contact@jeaye.com>
Date: Thu, 16 Nov 2017 20:19:42 -0800
Subject: [PATCH 2/3] nixos/ssh: Harden config defaults

---
 nixos/modules/services/networking/ssh/sshd.nix | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index a249f0142176..6c4dcfeda064 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -358,6 +358,21 @@ in
           HostKey ${k.path}
         '')}
 
+        ### Recommended settings from both:
+        # https://stribika.github.io/2015/01/04/secure-secure-shell.html
+        # and
+        # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
+
+        KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+        Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+        MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com
+
+        # LogLevel VERBOSE logs user's key fingerprint on login.
+        # Needed to have a clear audit track of which key was used to log in.
+        LogLevel VERBOSE
+
+        # Use kernel sandbox mechanisms where possible in unprivileged processes.
+        UsePrivilegeSeparation sandbox
       '';
 
     assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;

From 03f7adfdd13ba04619ab6e6bdb7448894494c58e Mon Sep 17 00:00:00 2001
From: jeaye <contact@jeaye.com>
Date: Sat, 18 Nov 2017 15:26:05 -0800
Subject: [PATCH 3/3] nixos/ssh: Update 18.03 release notes

Since ssh-dss is no longer supported by default, users relying on those
keys for their login may be locked out. They should ideally use stronger
keys, but adding the support for ssh-dss back in can also be done
through extraConfig.
---
 nixos/doc/manual/release-notes/rl-1803.xml | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-1803.xml b/nixos/doc/manual/release-notes/rl-1803.xml
index c1fe692ceecb..b0e29182127e 100644
--- a/nixos/doc/manual/release-notes/rl-1803.xml
+++ b/nixos/doc/manual/release-notes/rl-1803.xml
@@ -72,6 +72,29 @@ following incompatible changes:</para>
       <option>services.pgmanage</option>.
     </para>
   </listitem>
+  <listitem>
+    <para>
+      <emphasis role="strong">
+        The OpenSSH service no longer enables support for DSA keys by default,
+        which could cause a system lock out. Update your keys or, unfavorably,
+        re-enable DSA support manually.
+      </emphasis>
+    </para>
+
+    <para>
+      DSA support was
+      <link xlink:href="https://www.openssh.com/legacy.html">deprecated in OpenSSH 7.0</link>,
+      due to it being too weak. To re-enable support, add
+      <literal>PubkeyAcceptedKeyTypes +ssh-dss</literal> to the end of your
+      <option>services.openssh.extraConfig</option>.
+    </para>
+
+    <para>
+      After updating the keys to be stronger, anyone still on a pre-17.03
+      version is safe to jump to 17.03, as vetted
+      <link xlink:href="https://search.nix.gsc.io/?q=stateVersion">here</link>.
+    </para>
+  </listitem>
 </itemizedlist>
 
 </section>