Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

patching authorizedKeysCommand to use /etc/ssl/certs/ca-bundle.crt #114

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

zickzackv
Copy link

... also fixes sshd_config authorizedKeysCommand option to use the symlink name

... also fixes sshd_config authorizedKeysCommand script name
@arianvp
Copy link
Member

arianvp commented May 13, 2024

Thanks! Have you had time to test this yet? I will have bandwidth after 24.05 to look at this hopefully

@zickzackv
Copy link
Author

TLDR: Yes, I tested it and a configuration of KexAlgorithms was also needed.

Yeah, I got it working with the changes. I wrote a simple onefile flake to test changes first. https://github.com/zickzackv/eic-flake

I sadly run into a strange problem with the NixOS given KeyExchangeAlgorithms openssh configuration. AWS as ssh-client into an instance (e.g. in instance-connect from the console) only offered weaker KeyExchangeAlgorithms in eu-central-1. Leading to no instance-connect connection since the ssh handshake broke.

I extended the KexAlg list (https://github.com/zickzackv/eic-flake/blob/dc1c233e5fa58e5d28bbda726e8375864da4ae60/flake.nix#L53) with one weaker Algorithm in order to create an instance-connect connection. According to the blogpost in openssh configuration option (https://github.com/NixOS/nixpkgs/blob/5710852ba686cc1fd0d3b8e22b3117d43ba374c2/nixos/modules/services/networking/ssh/sshd.nix#L409) these are week algorithms.

@arianvp
Copy link
Member

arianvp commented May 24, 2024

ecdh-sha2-nistp521 is not weak. it's just some people are scared of anything NIST and try to avoid NIST curves whenever they can. This has more to do with politics than actual security arguments iirc.

There are no known weaknesses against ecdh-sha2-nistp521 as far as I am aware. and NIST curves are required for things like FIPS and other certifications so it makes sense AWS might be using that.

We can either add that override to the amazon-image config or we can see if we can add that KEX to the upstream openssh module.

@arianvp
Copy link
Member

arianvp commented May 24, 2024

By the way this should be enough due to NixOS' list merging:

services.openssh.settings.KexAlgorithms =["ecdh-sha2-nistp521"];

it will append the Kex to the existing list

@arianvp
Copy link
Member

arianvp commented May 25, 2024

I am gonna make a PR to nixpkgs with these changes. I think it should live there instead of here.

@zickzackv
Copy link
Author

Thanks for taking care.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants