nixos/ssh: use upstream's default cryptographic algorithms #316934

Hardening SSH algorithms, which typically means dropping all-but-the-strongest is of questionable value, given SSH's downgrade protection[0]. We pay in compatibility, and maintenance. Further, as noted in https://github.com/NixOS/nixpkgs/pull/172393/files#r871727289 , both the guidelines that we follow have not been updated in years. The costs of having/maintaining these defaults: * The burden of having a larger module that deviates from upstream. We've slowly been reducing the upstream diff, to reduce maintenance burden. * Difficult for users to opt-out of these defaults. For example, when using a "no OpenSSL" build of OpenSSH, having these defaults means having to manually overriding NixOS's defaults. Upstream's defaults, meanwhile, gracefully only use available algorithms, if OpenSSL is not linked. * For users seeking to reduce attack surfaces that are fortunate enough to only have modern clients, they could choose to use `pkgs.opensshPackages.openssh.override { linkOpenssl = false; }`, which only supports chacha20-poly1305 and curve25519-sha256. * NixOS#231165 unexpectedly broke some clients. * The time in discussing/reviewing these defaults. * Anecdotally, a friend trying NixOS for the first time with a ssh_config supporting only ecdh-* key exchanges was unable to SSH in after install. There's a certain level of enjoyment that comes from researching and selecting a favourite suite of ciphers, but as a distro, it's not our core competancy, and best left for upstream who are active in advances/attacks/compatibility. 0. https://eprint.iacr.org/2016/072.pdf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

nixos/ssh: use upstream's default cryptographic algorithms #316934

nixos/ssh: use upstream's default cryptographic algorithms #316934

Commits on Jun 5, 2024