movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-23 09:51:00 +03:00
Code Activity

SSH daemon: change default key size for RSA, add alert for weak keys.

Browse source
This commit is contained in:
Evgeny Egorochkin 2013-08-23 14:47:42 +03:00
parent f420726936
commit f8a6fa774e
1 changed files with 22 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

29
modules/services/networking/ssh/sshd.nix
View file

@ -16,19 +16,27 @@ let
v == "no"; v == "no";
hostKeyTypeNames = { hostKeyTypeNames = {
dsa1024 = "dsa"; dsa1024 = "dsa"; # DSA has a key size limitation due to standards
rsa1024 = "rsa"; rsa3072 = "rsa";
ecdsa521 = "ecdsa"; ecdsa521 = "ecdsa";
}; };
hostKeyTypeBits = { hostKeyTypeBits = {
dsa1024 = 1024; dsa1024 = 1024; # =80 bits of security
rsa1024 = 1024; rsa3072 = 3072; # =128 bits of security
ecdsa521 = 521; ecdsa521 = 521; # =256 bits of security
};
# equivalent to 112 bit of security strength. Anything below this is very unsafe.
hostKeyTypeSafeBits = {
dsa1024 = 2048;
rsa3072 = 2048;
ecdsa521 = 255;
}; };
hktn = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeNames; hktn = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeNames;
hktb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeBits; hktb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeBits;
hktsb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeSafeBits;
knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts);
@ -171,7 +179,7 @@ in
hostKeyType = mkOption { hostKeyType = mkOption {
default = "dsa1024"; default = "dsa1024";
description = '' description = ''
Type of host key to generate (dsa1024/rsa1024/ecdsa521), if Type of host key to generate (dsa1024/rsa3072/ecdsa521), if
the file specified by <literal>hostKeyPath</literal> does not the file specified by <literal>hostKeyPath</literal> does not
exist when the service starts. exist when the service starts.
''; '';
@ -269,7 +277,7 @@ in
stopIfChanged = false; stopIfChanged = false;
path = [ pkgs.openssh ]; path = [ pkgs.openssh pkgs.gawk ];
environment.LD_LIBRARY_PATH = nssModulesPath; environment.LD_LIBRARY_PATH = nssModulesPath;
environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
@ -281,6 +289,13 @@ in
if ! test -f ${cfg.hostKeyPath}; then if ! test -f ${cfg.hostKeyPath}; then
ssh-keygen -t ${hktn} -b ${toString hktb} -f ${cfg.hostKeyPath} -N "" ssh-keygen -t ${hktn} -b ${toString hktb} -f ${cfg.hostKeyPath} -N ""
fi fi
result=$(ssh-keygen -lf ${cfg.hostKeyPath}|awk '{ print ($1>=${toString hktsb}?1:0)}')
if [ "$result" -ne "1" ]; then
ERROR="SECURITY ALERT: SSH Host Key is too weak. Generate a strong key NOW."
echo "$ERROR"
echo "$ERROR" > /dev/console
fi
''; '';
serviceConfig = serviceConfig =