pyrox.dev / nixpkgs
lol
fork atom

Revert "openssh: 6.9p1 -> 7.0p1"

This reverts commit a8eb2a6a81524f3be0c8886f6d06090b50b0a513. OpenSSH
7.0 is causing too many interoperability problems so soon before the
15.08 release.

For instance, it causes NixOps EC2 initial deployments to fail with
"REMOTE HOST IDENTIFICATION HAS CHANGED". This is because the client
knows the server's ssh-dss host key, but this key is no longer
accepted by default. Setting "HostKeyAlgorithms" to "+ssh-dss" does
not work because it causes ssh-dss to be ordered after
"ecdsa-sha2-nistp521", which the server also offers. (Normally, ssh
prioritizes host key algorithms for which the client has a known host
key, but not if you set HostKeyAlgorithms.)

Eelco Dolstra 401782cb e4c2f97a

+2 -8
-3
nixos/modules/programs/ssh.nix
··· 115 115 116 116 ForwardX11 ${if cfg.forwardX11 then "yes" else "no"} 117 117 118 - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) 119 - PubkeyAcceptedKeyTypes +ssh-dss 120 - 121 118 ${cfg.extraConfig} 122 119 ''; 123 120
-3
nixos/modules/services/networking/ssh/sshd.nix
··· 413 413 ${flip concatMapStrings cfg.hostKeys (k: '' 414 414 HostKey ${k.path} 415 415 '')} 416 - 417 - # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.) 418 - PubkeyAcceptedKeyTypes +ssh-dss 419 416 ''; 420 417 421 418 assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true;
+2 -2
pkgs/tools/networking/openssh/default.nix
··· 17 17 in 18 18 with stdenv.lib; 19 19 stdenv.mkDerivation rec { 20 - name = "openssh-7.0p1"; 20 + name = "openssh-6.9p1"; 21 21 22 22 src = fetchurl { 23 23 url = "mirror://openbsd/OpenSSH/portable/${name}.tar.gz"; 24 - sha256 = "1rc52jyc5v5b8j9kvasrnz9vnj9b0i7fw4nqac8wix0r794k4ngx"; 24 + sha256 = "1zkci5nbpb4frmzj2vr3kv9j47x2h72kvybcpr0d8mzk73sls1vf"; 25 25 }; 26 26 27 27 prePatch = optionalString hpnSupport