From 387b9bf352851c8ec200030f3d4a79c3fac843de Mon Sep 17 00:00:00 2001 From: Alyssa Ross Date: Tue, 7 Apr 2020 13:07:03 +0000 Subject: [PATCH] nixos/ssh: don't accept ssh-dss keys These have been deprecated long enough. I think this default was even made non-functional by 2337c7522af3b186d4d7ecefe9e19c33aafc6626. But it's still a scary thing to see there. Fixes https://github.com/NixOS/nixpkgs/issues/33381. --- nixos/modules/programs/ssh.nix | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 80198990ed11..44e65ee8a9a0 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -61,12 +61,9 @@ in ''; }; - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) pubkeyAcceptedKeyTypes = mkOption { type = types.listOf types.str; - default = [ - "+ssh-dss" - ]; + default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' Specifies the key types that will be used for public key authentication. @@ -75,9 +72,7 @@ in hostKeyAlgorithms = mkOption { type = types.listOf types.str; - default = [ - "+ssh-dss" - ]; + default = []; example = [ "ssh-ed25519" "ssh-rsa" ]; description = '' Specifies the host key algorithms that the client wants to use in order of preference.