openssh: Enable DSA host/client keys

This applies a patch from Fedora to make HostKeyAlgorithms do the right thing, fixing the issue described in 401782cb67.
2024-11-12 03:56:17 +03:00 · 2016-02-01 16:27:46 +01:00 · 2016-02-01 16:27:46 +01:00 · a7b7ac8bfb
commit a7b7ac8bfb
parent a7f09e9773
3 changed files with 25 additions and 2 deletions
--- a/nixos/modules/programs/ssh.nix
+++ b/nixos/modules/programs/ssh.nix
@ -186,6 +186,9 @@ in

        ForwardX11 ${if cfg.forwardX11 then "yes" else "no"}

+        # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
+        PubkeyAcceptedKeyTypes +ssh-dss
+
        ${cfg.extraConfig}
      '';

--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -52,6 +52,8 @@ let
    ));
  in listToAttrs (map mkAuthKeyFile usersWithKeys);

+  supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
+
 in

 {
@ -177,7 +179,7 @@ in
        default =
          [ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
            { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
-          ] ++ optionals (!versionAtLeast config.system.stateVersion "15.07")
+          ] ++ optionals supportOldHostKeys
          [ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
            { type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
          ];
@ -347,6 +349,15 @@ in
        ${flip concatMapStrings cfg.hostKeys (k: ''
          HostKey ${k.path}
        '')}
+
+        # Allow DSA client keys for now. (These were deprecated
+        # in OpenSSH 7.0.)
+        PubkeyAcceptedKeyTypes +ssh-dss
+
+        # Re-enable DSA host keys for now.
+        ${optionalString supportOldHostKeys ''
+          HostKeyAlgorithms +ssh-dss
+        ''}
      '';

    assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
--- a/pkgs/tools/networking/openssh/default.nix
+++ b/pkgs/tools/networking/openssh/default.nix
@ -36,7 +36,16 @@ stdenv.mkDerivation rec {
      export NIX_LDFLAGS="$NIX_LDFLAGS -lgcc_s"
    '';

-  patches = [ ./locale_archive.patch ]
+  patches =
+    [ ./locale_archive.patch
+
+      # Fix "HostKeyAlgoritms +...", which we need to enable DSA
+      # host key support.
+      (fetchurl {
+        url = "https://pkgs.fedoraproject.org/cgit/rpms/openssh.git/plain/openssh-7.1p1-hostkeyalgorithms.patch?id=c98f5597250d6f9a8e8d96960beb6306d150ef0f";
+        sha256 = "029lzp9qv1af8wdm0wwj7qwjj1nimgsjj214jqm3amwz0857qgvp";
+      })
+    ]
    ++ optional withGssapiPatches gssapiSrc;

  buildInputs = [ zlib openssl libedit pkgconfig pam ]