Merge pull request #300716 from LeSuisse/openssh-dsa-keys

openssh: disable support for DSA keys by default
This commit is contained in:
Janne Heß 2024-04-04 14:28:28 +02:00 committed by GitHub
commit 8bd499b34a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 5 additions and 0 deletions

View file

@ -208,6 +208,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
"mysecret"` becomes `services.aria2.rpcSecretFile = "/path/to/secret_file"`
where the file `secret_file` contains the string `mysecret`.
- `openssh`, `openssh_hpn` and `openssh_gssapi` are now compiled without support for the DSA signature algorithm as it is being deprecated upstream. Users still relying on DSA keys should consider upgrading
to another signature algorithm. It is however possible, for the time being, to restore the DSA keys support using `override` to set `dsaKeysSupport = true`.
- `buildGoModule` now throws error when `vendorHash` is not specified. `vendorSha256`, deprecated in Nixpkgs 23.11, is now ignored and is no longer a `vendorHash` alias.
- Invidious has changed its default database username from `kemal` to `invidious`. Setups involving an externally provisioned database (i.e. `services.invidious.database.createLocally == false`) should adjust their configuration accordingly. The old `kemal` user will not be removed automatically even when the database is provisioned automatically.(https://github.com/NixOS/nixpkgs/pull/265857)

View file

@ -30,6 +30,7 @@
, nixosTests
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
, withPAM ? stdenv.hostPlatform.isLinux
, dsaKeysSupport ? false
, linkOpenssl ? true
}:
@ -84,6 +85,7 @@ stdenv.mkDerivation {
"--with-libedit=yes"
"--disable-strip"
(lib.withFeature withPAM "pam")
(lib.enableFeature dsaKeysSupport "dsa-keys")
] ++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
++ lib.optional withFIDO "--with-security-key-builtin=yes"
++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")