From 6acf53f6547337106235a0d892e6341e01a5c5cd Mon Sep 17 00:00:00 2001 From: Yarny0 <41838844+Yarny0@users.noreply.github.com> Date: Mon, 9 Jun 2025 20:34:15 +0200 Subject: [PATCH] nixos/sshd: don't use `-a` (KDF rounds) on host keys The nixos `sshd.nix` module contains a mechanism to generate ssh host keys prior to starting sshd if those host keys are missing. The option `services.openssh.hostKeys` is used to configure which host keys should exist or be created. It also declares the key type and other key-related options. One of those options is `rounds`. That one is then forwarded to the `ssh-keygen` program with the `-a` option. It defines how many rounds of a key derivation function are to be used on the key's passphrase before the result is used to en-/decrypt the private key; cf. ssh-keygen(1). ssh host keys are passwordless; they are solely protected by filesystem access modes. Hence, the `-a` option is irrelevant and silently ignored by `ssh-keygen`. The commit at hand therefore removes this option from the host key generation script and the option examples. --- nixos/modules/services/networking/ssh/sshd.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 88ecfe22d70a..12d725e1b7f9 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -366,13 +366,11 @@ in type = "rsa"; bits = 4096; path = "/etc/ssh/ssh_host_rsa_key"; - rounds = 100; openSSHFormat = true; } { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; - rounds = 100; comment = "key comment"; } ]; @@ -798,7 +796,6 @@ in ssh-keygen \ -t "${k.type}" \ ${lib.optionalString (k ? bits) "-b ${toString k.bits}"} \ - ${lib.optionalString (k ? rounds) "-a ${toString k.rounds}"} \ ${lib.optionalString (k ? comment) "-C '${k.comment}'"} \ ${lib.optionalString (k ? openSSHFormat && k.openSSHFormat) "-o"} \ -f "${k.path}" \