Skip to content

nixos/common: update KexAlgorithms selection #713

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

nixos/common: update KexAlgorithms selection #713

wants to merge 1 commit into from

Conversation

@LucasFA
Copy link

@LucasFA LucasFA commented Oct 30, 2025
edited
Loading

Commit message:

sshd determines order of preference from the list of acceptable algos in KexAlgorithms by the order of the items, so sort by security properties or as per upstream openSSH ordering

Add new post-quantum secure algorithms

IMO this should try to fail open: right now, new algorithms are forbidden by this configuration. This is also how I learned of this, because of some PQ insecure KexAlgo warnings that openSSH now emits.
Alternatively theKexAlgorithms key could be completely dropped but at this time this supposes a risk of breaking some users SSH as this would drop the DH-group{16,18}-sha512 algorithms

Note: there is another section in the darwin/common/openssh.nix file, but I know nothing about Darwin nor how the system SSH daemon would load the resulting file with the rest of the configuration

Edit: just force pushed a rebase on master

@LucasFA
nixos/common: update KexAlgorithms selection
3ff0741 
sshd determines order of preference from the list of acceptable algos in KexAlgorithms by the order of the items, so sort by security properties or as per upstream openSSH ordering

Add new post-quantum secure algorithms
@LucasFA
Copy link
Author

LucasFA commented Nov 1, 2025

Note: the (pseudo-)diff nixpkgs..srvos between the shipped KexAlgorithms before this PR is the following

-"mlkem768x25519-sha256"
-"sntrup761x25519-sha512"
+"diffie-hellman-group16-sha512"
+"diffie-hellman-group18-sha512"
-"diffie-hellman-group-exchange-sha256"

After this PR:

+"diffie-hellman-group16-sha512"
+"diffie-hellman-group18-sha512"
-"diffie-hellman-group-exchange-sha256"

Unfortunately, OpenSSH does not allow mixing adding and removing algorithms from the defaults - they can be added, removed, or set, but there is no way to do more than one of these at a time, and the settings is not a mkMerge of some kind for probably this reason.

The default KexAlgorithms shipped by nixpkgs is essentially as secure as this one. If there is a way for this repository to blacklist specific KexAlgos without overriding the nixpkgs list, I would support it. If that is not doable, I suggest dropping this from the repository in the name of maintainability - it's already been the case for several months that these new algorithms have not been added to the srvos list.

Regarding current srvos users who have loaded this module and may depend on DH-group{16,18}, one option is to create a new compatKex option that keeps the override as it is right now and emits a warning.

We could just drop it, though. Curve25519 has been the default since 2014 at version 6.5. The only conflicts you could find are CentOS versions that have been EOL for years, Scientific Linux 7 (also EOL) and whatever HP UX is.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LucasFA