tests/openssh: use upstream's algorithms in "no openssl" example
When I initially wrote this test, I wasn't aware that services.openssh could opt into using OpenSSH's default algorithms by just setting the relevant settings to null. That's a better approach since: * it's a simpler setting for this test to have to worry about * it introduces test coverage for the null case * the null case should be demonstrated as an example for those that want to compile without OpenSSL
This commit is contained in:
parent
2542605888
commit
9e4e5d96f1
@ -120,12 +120,14 @@ in {
|
|||||||
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
|
||||||
];
|
];
|
||||||
settings = {
|
settings = {
|
||||||
# Must not specify the OpenSSL provided algorithms.
|
# Since this test is against an OpenSSH-without-OpenSSL,
|
||||||
Ciphers = [ "chacha20-poly1305@openssh.com" ];
|
# we have to override NixOS's defaults ciphers (which require OpenSSL)
|
||||||
KexAlgorithms = [
|
# and instead set these to null, which will mean OpenSSH uses its defaults.
|
||||||
"curve25519-sha256"
|
# Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled
|
||||||
"curve25519-sha256@libssh.org"
|
# without OpenSSL.
|
||||||
];
|
Ciphers = null;
|
||||||
|
KexAlgorithms = null;
|
||||||
|
Macs = null;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
users.users.root.openssh.authorizedKeys.keys = [
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
Loading…
Reference in New Issue
Block a user