Commit 9e4e5d96 authored by Tom Fitzhenry's avatar Tom Fitzhenry Committed by tomf
Browse files

tests/openssh: use upstream's algorithms in "no openssl" example 

When I initially wrote this test, I wasn't aware that services.openssh
could opt into using OpenSSH's default algorithms by just setting the
relevant settings to null.

That's a better approach since:
* it's a simpler setting for this test to have to worry about
* it introduces test coverage for the null case
* the null case should be demonstrated as an example for those that
  want to compile without OpenSSL
parent 25426058

nixos/tests/openssh.nix

+8 −6
Original line number Diff line number Diff line
@@ -120,12 +120,14 @@ in { 
            { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }

          ];

          settings = {

            # Must not specify the OpenSSL provided algorithms.

            Ciphers = [ "chacha20-poly1305@openssh.com" ];

            KexAlgorithms = [

              "curve25519-sha256"

              "curve25519-sha256@libssh.org"

            ];

            # Since this test is against an OpenSSH-without-OpenSSL,

            # we have to override NixOS's defaults ciphers (which require OpenSSL)

            # and instead set these to null, which will mean OpenSSH uses its defaults.

            # Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled

            # without OpenSSL.

            Ciphers = null;

            KexAlgorithms = null;

            Macs = null;

          };

        };

        users.users.root.openssh.authorizedKeys.keys = [