nixos/ssh: don't accept ssh-dss keys

These have been deprecated long enough. I think this default was even made non-functional by 2337c75. But it's still a scary thing to see there. Fixes #33381.
NixOS · Apr 7, 2020 · 387b9bf · 387b9bf
1 parent d7b9812
commit 387b9bf
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/nixos/modules/programs/ssh.nix b/nixos/modules/programs/ssh.nix
@@ -61,12 +61,9 @@ in
         '';
       };
 
-      # Allow DSA keys for now. (These were deprecated in OpenSSH 7.0.)
       pubkeyAcceptedKeyTypes = mkOption {
         type = types.listOf types.str;
-        default = [
-          "+ssh-dss"
-        ];
+        default = [];
         example = [ "ssh-ed25519" "ssh-rsa" ];
         description = ''
           Specifies the key types that will be used for public key authentication.
@@ -75,9 +72,7 @@ in
 
       hostKeyAlgorithms = mkOption {
         type = types.listOf types.str;
-        default = [
-          "+ssh-dss"
-        ];
+        default = [];
         example = [ "ssh-ed25519" "ssh-rsa" ];
         description = ''
           Specifies the host key algorithms that the client wants to use in order of preference.