nixos/ssh: Remove support for old host keys

This commit is contained in:
jeaye 2017-11-16 20:16:06 -08:00
parent 61090c8c66
commit ec80c92825
No known key found for this signature in database
GPG Key ID: A77FFC856C61E510

View File

@ -54,8 +54,6 @@ let
));
in listToAttrs (map mkAuthKeyFile usersWithKeys);
supportOldHostKeys = !versionAtLeast config.system.stateVersion "15.07";
in
{
@ -191,9 +189,6 @@ in
default =
[ { type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; }
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
] ++ optionals supportOldHostKeys
[ { type = "dsa"; path = "/etc/ssh/ssh_host_dsa_key"; }
{ type = "ecdsa"; bits = 521; path = "/etc/ssh/ssh_host_ecdsa_key"; }
];
description = ''
NixOS can automatically generate SSH host keys. This option
@ -363,14 +358,6 @@ in
HostKey ${k.path}
'')}
# Allow DSA client keys for now. (These were deprecated
# in OpenSSH 7.0.)
PubkeyAcceptedKeyTypes +ssh-dss
# Re-enable DSA host keys for now.
${optionalString supportOldHostKeys ''
HostKeyAlgorithms +ssh-dss
''}
'';
assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;