patching authorizedKeysCommand to use /etc/ssl/certs/ca-bundle.crt #114
Conversation
... also fixes sshd_config authorizedKeysCommand script name
|
Thanks! Have you had time to test this yet? I will have bandwidth after 24.05 to look at this hopefully |
|
TLDR: Yes, I tested it and a configuration of KexAlgorithms was also needed. Yeah, I got it working with the changes. I wrote a simple onefile flake to test changes first. https://github.com/zickzackv/eic-flake I sadly run into a strange problem with the NixOS given KeyExchangeAlgorithms openssh configuration. AWS as ssh-client into an instance (e.g. in instance-connect from the console) only offered weaker KeyExchangeAlgorithms in eu-central-1. Leading to no instance-connect connection since the ssh handshake broke. I extended the KexAlg list (https://github.com/zickzackv/eic-flake/blob/dc1c233e5fa58e5d28bbda726e8375864da4ae60/flake.nix#L53) with one weaker Algorithm in order to create an instance-connect connection. According to the blogpost in openssh configuration option (https://github.com/NixOS/nixpkgs/blob/5710852ba686cc1fd0d3b8e22b3117d43ba374c2/nixos/modules/services/networking/ssh/sshd.nix#L409) these are week algorithms. |
|
There are no known weaknesses against ecdh-sha2-nistp521 as far as I am aware. and NIST curves are required for things like FIPS and other certifications so it makes sense AWS might be using that. We can either add that override to the |
|
By the way this should be enough due to NixOS' list merging: it will append the Kex to the existing list |
|
I am gonna make a PR to nixpkgs with these changes. I think it should live there instead of here. |
... also fixes sshd_config authorizedKeysCommand option to use the symlink name