From b742b86532b2fba82e42acd106419d0d7419ed4f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Mon, 1 Jul 2024 13:50:21 +0200
Subject: [PATCH] common/openssh: apply workaround for CVE-2024-6387

---
 nixos/common/openssh.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/common/openssh.nix b/nixos/common/openssh.nix
index 53d4691..ca2bbc2 100644
--- a/nixos/common/openssh.nix
+++ b/nixos/common/openssh.nix
@@ -9,6 +9,11 @@
     # unbind gnupg sockets if they exists
     settings.StreamLocalBindUnlink = true;
 
+    # We might want to remove this once, openssh is fixed everywhere:
+    # Workaround for CVE-2024-6387
+    # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
+    settings.LoginGraceTime = 0;
+
     # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
     settings.KexAlgorithms = [
       "curve25519-sha256"