From 401782cb678d2e28c0f7f2d40c6421624f410148 Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Thu, 20 Aug 2015 13:50:04 +0200 Subject: [PATCH] Revert "openssh: 6.9p1 -> 7.0p1" This reverts commit a8eb2a6a81524f3be0c8886f6d06090b50b0a513. OpenSSH 7.0 is causing too many interoperability problems so soon before the 15.08 release. For instance, it causes NixOps EC2 initial deployments to fail with "REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client knows the server's ssh-dss host key, but this key is no longer accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does not work because it causes ssh-dss to be ordered after "ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh prioritizes host key algorithms for which the client has a known host key, but not if you set HostKeyAlgorithms.) --- nixos/modules/programs/ssh.nix | 3 --- nixos/modules/services/networking/ssh/sshd.nix | 3 --- pkgs/tools/networking/openssh/default.nix | 4 ++-- 3 files changed, 2 insertions(+), 8 deletions(-) diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix index 9c94250cb1f0..d3183f7d2dc7 100644 --- a/nixos/modules/programs/ssh.nix +++ b/nixos/modules/programs/ssh.nix @@ -115,9 +115,6 @@ in ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) - PubkeyAcceptedKeyTypes +ssh-dss - ${cfg.extraConfig} ''; diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index be2dde121973..1c428ceddfd2 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -413,9 +413,6 @@ in ${flip concatMapStrings cfg.hostKeys (k: '' HostKey ${k.path} '')} - - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) - PubkeyAcceptedKeyTypes +ssh-dss ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; diff --git a/pkgs/tools/networking/openssh/default.nix b/pkgs/tools/networking/openssh/default.nix index 57bbf1da22e2..357ee2b9f213 100644 --- a/pkgs/tools/networking/openssh/default.nix +++ b/pkgs/tools/networking/openssh/default.nix @@ -17,11 +17,11 @@ let in with stdenv.lib; stdenv.mkDerivation rec { - name = "openssh-7.0p1"; + name = "openssh-6.9p1"; src = fetchurl { url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; - sha256 = "1rc52jyc5v5b8j9kvasrnz9vnj9b0i7fw4nqac8wix0r794k4ngx"; + sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf"; }; prePatch = optionalString hpnSupport