tests/openssh: use upstream's algorithms in "no openssl" example

When I initially wrote this test, I wasn't aware that services.openssh could opt into using OpenSSH's default algorithms by just setting the relevant settings to null. That's a better approach since: * it's a simpler setting for this test to have to worry about * it introduces test coverage for the null case * the null case should be demonstrated as an example for those that want to compile without OpenSSL
2025-04-15 17:58:03 +00:00 · 2024-06-06 23:06:29 +10:00 · 2024-06-06 23:06:29 +10:00 · 9e4e5d96f1
commit 9e4e5d96f1
parent 2542605888
1 changed files with 8 additions and 6 deletions
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -120,12 +120,14 @@ in {
            { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
          ];
          settings = {
-            # Must not specify the OpenSSL provided algorithms.
-            Ciphers = [ "chacha20-poly1305@openssh.com" ];
-            KexAlgorithms = [
-              "curve25519-sha256"
-              "curve25519-sha256@libssh.org"
-            ];
+            # Since this test is against an OpenSSH-without-OpenSSL,
+            # we have to override NixOS's defaults ciphers (which require OpenSSL)
+            # and instead set these to null, which will mean OpenSSH uses its defaults.
+            # Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled
+            # without OpenSSL.
+            Ciphers = null;
+            KexAlgorithms = null;
+            Macs = null;
          };
        };
        users.users.root.openssh.authorizedKeys.keys = [