nixos/openssh: Add sntrup761x25519-sha512 kexAlgo
Introduced in OpenSSH 9.0 it became the part of the default kexAlgorithm selection, visibile in sshd_config(5). It is also enabled by default in the OpenSSH client, as can be seen from $ ssh -Q KexAlgorithms Also clarifies that we use the referenced documents as the lower bound, given that they haven't been updated for 5-7y.
This commit is contained in:
parent
5d589feb6e
commit
fa7ce6bc7f
|
@ -293,6 +293,7 @@ in
|
||||||
kexAlgorithms = mkOption {
|
kexAlgorithms = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [
|
default = [
|
||||||
|
"sntrup761x25519-sha512@openssh.com"
|
||||||
"curve25519-sha256"
|
"curve25519-sha256"
|
||||||
"curve25519-sha256@libssh.org"
|
"curve25519-sha256@libssh.org"
|
||||||
"diffie-hellman-group-exchange-sha256"
|
"diffie-hellman-group-exchange-sha256"
|
||||||
|
@ -301,7 +302,7 @@ in
|
||||||
Allowed key exchange algorithms
|
Allowed key exchange algorithms
|
||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
Defaults to recommended settings from both
|
Uses the lower bound recommended in both
|
||||||
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
|
<link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
|
||||||
and
|
and
|
||||||
<link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" />
|
<link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" />
|
||||||
|
|
Loading…
Reference in a new issue