forked from mirrors/nixpkgs
Merge pull request #39232 from Infinisil/sshd-options
nixos/sshd: add options for kexAlgorithms, ciphers and MACs
This commit is contained in:
commit
e10718f0ff
|
@ -213,6 +213,65 @@ in
|
|||
description = "Files from which authorized keys are read.";
|
||||
};
|
||||
|
||||
kexAlgorithms = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
"curve25519-sha256@libssh.org"
|
||||
"diffie-hellman-group-exchange-sha256"
|
||||
];
|
||||
description = ''
|
||||
Allowed key exchange algorithms
|
||||
</para>
|
||||
<para>
|
||||
Defaults to recommended settings from both
|
||||
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
|
||||
and
|
||||
<link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" />
|
||||
'';
|
||||
};
|
||||
|
||||
ciphers = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
"chacha20-poly1305@openssh.com"
|
||||
"aes256-gcm@openssh.com"
|
||||
"aes128-gcm@openssh.com"
|
||||
"aes256-ctr"
|
||||
"aes192-ctr"
|
||||
"aes128-ctr"
|
||||
];
|
||||
description = ''
|
||||
Allowed ciphers
|
||||
</para>
|
||||
<para>
|
||||
Defaults to recommended settings from both
|
||||
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
|
||||
and
|
||||
<link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" />
|
||||
'';
|
||||
};
|
||||
|
||||
macs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [
|
||||
"hmac-sha2-512-etm@openssh.com"
|
||||
"hmac-sha2-256-etm@openssh.com"
|
||||
"umac-128-etm@openssh.com"
|
||||
"hmac-sha2-512"
|
||||
"hmac-sha2-256"
|
||||
"umac-128@openssh.com"
|
||||
];
|
||||
description = ''
|
||||
Allowed MACs
|
||||
</para>
|
||||
<para>
|
||||
Defaults to recommended settings from both
|
||||
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
|
||||
and
|
||||
<link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" />
|
||||
'';
|
||||
};
|
||||
|
||||
extraConfig = mkOption {
|
||||
type = types.lines;
|
||||
default = "";
|
||||
|
@ -363,14 +422,9 @@ in
|
|||
HostKey ${k.path}
|
||||
'')}
|
||||
|
||||
### Recommended settings from both:
|
||||
# https://stribika.github.io/2015/01/04/secure-secure-shell.html
|
||||
# and
|
||||
# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
|
||||
|
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
|
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
|
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
|
||||
KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms}
|
||||
Ciphers ${concatStringsSep "," cfg.ciphers}
|
||||
MACs ${concatStringsSep "," cfg.macs}
|
||||
|
||||
# LogLevel VERBOSE logs user's key fingerprint on login.
|
||||
# Needed to have a clear audit track of which key was used to log in.
|
||||
|
|
Loading…
Reference in a new issue