From 6ee4b8c8bf815567f7d0fa131576d2b8c0a18167 Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas@gerbet.me>
Date: Mon, 1 Apr 2024 16:57:15 +0200
Subject: [PATCH] openssh: disable support for DSA keys by default

DSA signature is being deprecated by upstream as noted in the 9.7
release notes: https://www.openssh.com/txt/release-9.7

An attribute is added to allow users to restore support while it is
still possible.
---
 nixos/doc/manual/release-notes/rl-2405.section.md | 3 +++
 pkgs/tools/networking/openssh/common.nix          | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/nixos/doc/manual/release-notes/rl-2405.section.md b/nixos/doc/manual/release-notes/rl-2405.section.md
index 763cb1df3202..727daf4f8d59 100644
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@@ -201,6 +201,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
   "mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
   where the file `secret_file` contains the string `mysecret`.
 
+- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
+  to another signature algorithm. It is however possible, for the time being, to restore the DSA keys support using `override` to set `dsaKeysSupport = true`.
+
 - `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
 
 - Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)
diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix
index 5bae2050fbfc..dc43f6dd36b8 100644
--- a/pkgs/tools/networking/openssh/common.nix
+++ b/pkgs/tools/networking/openssh/common.nix
@@ -30,6 +30,7 @@
 , nixosTests
 , withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
 , withPAM ? stdenv.hostPlatform.isLinux
+, dsaKeysSupport ? false
 , linkOpenssl ? true
 }:
 
@@ -84,6 +85,7 @@ stdenv.mkDerivation {
     "--with-libedit=yes"
     "--disable-strip"
     (lib.withFeature withPAM "pam")
+    (lib.enableFeature dsaKeysSupport "dsa-keys")
   ] ++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
     ++ lib.optional withFIDO "--with-security-key-builtin=yes"
     ++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")