diff options
| author | Silvan Mosberger <infinisil@icloud.com> | 2018-04-20 13:27:10 +0200 |
|---|---|---|
| committer | Silvan Mosberger <infinisil@icloud.com> | 2018-04-20 19:05:19 +0200 |
| commit | ee3fd4ad53ba1063b6b8178f2753d458ec8c6094 (patch) | |
| tree | 216c42bedf0bbe43c466d4ad6db030a6200b4155 /nixos/modules/services/networking/ssh | |
| parent | a9cd8ef23e0ff0af88c2ed547f8ce1e32b3de74d (diff) | |
| download | nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.tar nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.tar.gz nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.tar.bz2 nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.tar.lz nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.tar.xz nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.tar.zst nixpkgs-ee3fd4ad53ba1063b6b8178f2753d458ec8c6094.zip | |
nixos/sshd: add options for kexAlgorithms, ciphers and MACs
Diffstat (limited to 'nixos/modules/services/networking/ssh')
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 70 |
1 files changed, 62 insertions, 8 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index e50c4dbacf3..aab1203086c 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -213,6 +213,65 @@ in description = "Files from which authorized keys are read."; }; + kexAlgorithms = mkOption { + type = types.listOf types.str; + default = [ + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + description = '' + Allowed key exchange algorithms + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + ''; + }; + + ciphers = mkOption { + type = types.listOf types.str; + default = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes128-gcm@openssh.com" + "aes256-ctr" + "aes192-ctr" + "aes128-ctr" + ]; + description = '' + Allowed ciphers + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + ''; + }; + + macs = mkOption { + type = types.listOf types.str; + default = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + "hmac-sha2-512" + "hmac-sha2-256" + "umac-128@openssh.com" + ]; + description = '' + Allowed MACs + </para> + <para> + Defaults to recommended settings from both + <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" /> + and + <link xlink:href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29" /> + ''; + }; + extraConfig = mkOption { type = types.lines; default = ""; @@ -363,14 +422,9 @@ in HostKey ${k.path} '')} - ### Recommended settings from both: - # https://stribika.github.io/2015/01/04/secure-secure-shell.html - # and - # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 - - KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 - Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + KexAlgorithms ${concatStringsSep "," cfg.kexAlgorithms} + Ciphers ${concatStringsSep "," cfg.ciphers} + MACs ${concatStringsSep "," cfg.macs} # LogLevel VERBOSE logs user's key fingerprint on login. # Needed to have a clear audit track of which key was used to log in. |