openssh: disable support for DSA keys by default
DSA signature is being deprecated by upstream as noted in the 9.7 release notes: https://www.openssh.com/txt/release-9.7 An attribute is added to allow users to restore support while it is still possible.
This commit is contained in:
parent
097efc15ed
commit
6ee4b8c8bf
@ -201,6 +201,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
|
||||
"mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
|
||||
where the file `secret_file` contains the string `mysecret`.
|
||||
|
||||
- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
|
||||
to another signature algorithm. It is however possible, for the time being, to restore the DSA keys support using `override` to set `dsaKeysSupport = true`.
|
||||
|
||||
- `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
|
||||
|
||||
- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
|
||||
|
@ -30,6 +30,7 @@
|
||||
, nixosTests
|
||||
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
|
||||
, withPAM ? stdenv.hostPlatform.isLinux
|
||||
, dsaKeysSupport ? false
|
||||
, linkOpenssl ? true
|
||||
}:
|
||||
|
||||
@ -84,6 +85,7 @@ stdenv.mkDerivation {
|
||||
"--with-libedit=yes"
|
||||
"--disable-strip"
|
||||
(lib.withFeature withPAM "pam")
|
||||
(lib.enableFeature dsaKeysSupport "dsa-keys")
|
||||
] ++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
|
||||
++ lib.optional withFIDO "--with-security-key-builtin=yes"
|
||||
++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
|
||||
|
Loading…
Reference in New Issue
Block a user