nixos/sshd: don't use -a (KDF rounds) on host keys

The nixos `sshd.nix` module contains a mechanism to generate ssh host keys prior to starting sshd if those host keys are missing. The option `services.openssh.hostKeys` is used to configure which host keys should exist or be created. It also declares the key type and other key-related options. One of those options is `rounds`. That one is then forwarded to the `ssh-keygen` program with the `-a` option. It defines how many rounds of a key derivation function are to be used on the key's passphrase before the result is used to en-/decrypt the private key; cf. ssh-keygen(1). ssh host keys are passwordless; they are solely protected by filesystem access modes. Hence, the `-a` option is irrelevant and silently ignored by `ssh-keygen`. The commit at hand therefore removes this option from the host key generation script and the option examples.
2025-06-09 20:34:15 +02:00 · 2025-06-09 20:34:15 +02:00 · 6acf53f654
commit 6acf53f654
parent 3e3afe5174
1 changed files with 0 additions and 3 deletions
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -366,13 +366,11 @@ in
            type = "rsa";
            bits = 4096;
            path = "/etc/ssh/ssh_host_rsa_key";
-            rounds = 100;
            openSSHFormat = true;
          }
          {
            type = "ed25519";
            path = "/etc/ssh/ssh_host_ed25519_key";
-            rounds = 100;
            comment = "key comment";
          }
        ];
@ -798,7 +796,6 @@ in
              ssh-keygen \
                -t "${k.type}" \
                ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \
-                ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \
                ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \
                ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \
                -f "${k.path}" \