colin
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

openssh: disable support for DSA keys by default 

DSA signature is being deprecated by upstream as noted in the 9.7
release notes: https://www.openssh.com/txt/release-9.7

An attribute is added to allow users to restore support while it is
still possible.
This commit is contained in:
Thomas Gerbet 2024-04-01 16:57:15 +02:00
parent 097efc15ed
commit 6ee4b8c8bf
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2405.section.md
View File

@ -201,6 +201,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
"mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
where the file `secret_file` contains the string `mysecret`.
- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
to another signature algorithm. It is however possible, for the time being, to restore the DSA keys support using `override` to set `dsaKeysSupport = true`.
- `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)

2
pkgs/tools/networking/openssh/common.nix
View File

@ -30,6 +30,7 @@
, nixosTests
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
, withPAM ? stdenv.hostPlatform.isLinux
, dsaKeysSupport ? false
, linkOpenssl ? true
}:
@ -84,6 +85,7 @@ stdenv.mkDerivation {
"--with-libedit=yes"
"--disable-strip"
(lib.withFeature withPAM "pam")
(lib.enableFeature dsaKeysSupport "dsa-keys")
] ++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
++ lib.optional withFIDO "--with-security-key-builtin=yes"
++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")