nixpkgs

mirror of https://github.com/NixOS/nixpkgs.git synced 2025-11-13 11:15:37 +01:00

History

Yarny0 6acf53f654 nixos/sshd: don't use `-a` (KDF rounds) on host keys The nixos `sshd.nix` module contains a mechanism to generate ssh host keys prior to starting sshd if those host keys are missing. The option `services.openssh.hostKeys` is used to configure which host keys should exist or be created. It also declares the key type and other key-related options. One of those options is `rounds`. That one is then forwarded to the `ssh-keygen` program with the `-a` option. It defines how many rounds of a key derivation function are to be used on the key's passphrase before the result is used to en-/decrypt the private key; cf. ssh-keygen(1). ssh host keys are passwordless; they are solely protected by filesystem access modes. Hence, the `-a` option is irrelevant and silently ignored by `ssh-keygen`. The commit at hand therefore removes this option from the host key generation script and the option examples.	2025-06-09 21:06:20 +02:00
..
sshd.nix	nixos/sshd: don't use `-a` (KDF rounds) on host keys	2025-06-09 21:06:20 +02:00

Yarny0 6acf53f654 nixos/sshd: don't use -a (KDF rounds) on host keys

The nixos `sshd.nix` module contains a
mechanism to generate ssh host keys prior to
starting sshd if those host keys are missing.
The option `services.openssh.hostKeys` is used to
configure which host keys should exist or be created.
It also declares the key type and other key-related options.

One of those options is `rounds`.
That one is then forwarded to the
`ssh-keygen` program with the `-a` option.
It defines how many rounds of a key derivation function
are to be used on the key's passphrase before the result
is used to en-/decrypt the private key; cf. ssh-keygen(1).

ssh host keys are passwordless;
they are solely protected by filesystem access modes.
Hence, the `-a` option is irrelevant
and silently ignored by `ssh-keygen`.

The commit at hand therefore removes this option from
the host key generation script and the option examples.

2025-06-09 21:06:20 +02:00

sshd.nix nixos/sshd: don't use -a (KDF rounds) on host keys 2025-06-09 21:06:20 +02:00