Unverified Commit 23422982 authored by Jan Christian Grünhage's avatar Jan Christian Grünhage
Browse files

openssh: enable ldns 

ldns is used for validating DNSSEC responses. With ldns enabled, using
SSHFP records on DNSSEC signed zones allows connecting to ssh servers
with host keys being automatically validated.
parent c474f2a3

pkgs/tools/networking/openssh/common.nix

+4 −0
Original line number Diff line number Diff line
@@ -18,11 +18,13 @@ 
, zlib

, openssl

, libedit

, ldns

, pkg-config

, pam

, libredirect

, etcDir ? null

, withKerberos ? true

, withLdns ? true

, libkrb5

, libfido2

, hostname
@@ -72,6 +74,7 @@ stdenv.mkDerivation { 
  buildInputs = [ zlib openssl libedit ]

    ++ lib.optional withFIDO libfido2

    ++ lib.optional withKerberos libkrb5

    ++ lib.optional withLdns ldns

    ++ lib.optional withPAM pam;



  preConfigure = ''
@@ -95,6 +98,7 @@ stdenv.mkDerivation { 
    ++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")

    ++ lib.optional stdenv.isDarwin "--disable-libutil"

    ++ lib.optional (!linkOpenssl) "--without-openssl"

    ++ lib.optional withLdns "--with-ldns"

    ++ extraConfigureFlags;



  ${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null}= [ "-laudit" ] ++ lib.optionals withKerberos [ "-lkeyutils" ];