Commit 6acf53f6 authored by Yarny0's avatar Yarny0
Browse files

nixos/sshd: don't use `-a` (KDF rounds) on host keys 

The nixos `sshd.nix` module contains a
mechanism to generate ssh host keys prior to
starting sshd if those host keys are missing.
The option `services.openssh.hostKeys` is used to
configure which host keys should exist or be created.
It also declares the key type and other key-related options.

One of those options is `rounds`.
That one is then forwarded to the
`ssh-keygen` program with the `-a` option.
It defines how many rounds of a key derivation function
are to be used on the key's passphrase before the result
is used to en-/decrypt the private key; cf. ssh-keygen(1).

ssh host keys are passwordless;
they are solely protected by filesystem access modes.
Hence, the `-a` option is irrelevant
and silently ignored by `ssh-keygen`.

The commit at hand therefore removes this option from
the host key generation script and the option examples.
parent 3e3afe51

nixos/modules/services/networking/ssh/sshd.nix

+0 −3
Original line number Diff line number Diff line
@@ -366,13 +366,11 @@ in 
            type = "rsa";

            bits = 4096;

            path = "/etc/ssh/ssh_host_rsa_key";

            rounds = 100;

            openSSHFormat = true;

          }

          {

            type = "ed25519";

            path = "/etc/ssh/ssh_host_ed25519_key";

            rounds = 100;

            comment = "key comment";

          }

        ];
@@ -798,7 +796,6 @@ in 
              ssh-keygen \

                -t "${k.type}" \

                ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \

                ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \

                ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \

                ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \

                -f "${k.path}" \