flora-6: add back openssh MACs that got removed

from defaults NixOS default openssh MACs have changed to use "encrypt-then-mac" only. This breaks compatibilty with clients that do not offer these MACs. For compatibility reasons, we add back the old defaults. See: https://github.com/NixOS/nixpkgs/pull/231165 https://blog.stribik.technology/2015/01/04/secure-secure-shell.html https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
2023-07-07 12:13:57 +02:00 · 2023-07-07 12:13:57 +02:00 · 6fd2903516
parent e834cc685c
commit 6fd2903516
1 changed files with 8 additions and 0 deletions
--- a/hosts/flora-6/flora-6.nix
+++ b/hosts/flora-6/flora-6.nix
@ -139,6 +139,14 @@ in {
      settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+          "hmac-sha2-512"
+          "hmac-sha2-256"
+          "umac-128@openssh.com"
+        ];
      };
    };