From 6fd2903516da8d05e717a96e62cff9df0e6d75db Mon Sep 17 00:00:00 2001
From: teutat3s <teutates@mailbox.org>
Date: Fri, 7 Jul 2023 12:13:57 +0200
Subject: [PATCH] flora-6: add back openssh MACs that got removed

from defaults

NixOS default openssh MACs have changed to use "encrypt-then-mac" only.
This breaks compatibilty with clients that do not offer these MACs. For
compatibility reasons, we add back the old defaults.
See: https://github.com/NixOS/nixpkgs/pull/231165

https://blog.stribik.technology/2015/01/04/secure-secure-shell.html
https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67
---
 hosts/flora-6/flora-6.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix
index 55e88da7..59df45c1 100644
--- a/hosts/flora-6/flora-6.nix
+++ b/hosts/flora-6/flora-6.nix
@@ -139,6 +139,14 @@ in {
       settings = {
         PasswordAuthentication = false;
         PermitRootLogin = "no";
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+          "hmac-sha2-512"
+          "hmac-sha2-256"
+          "umac-128@openssh.com"
+        ];
       };
     };