nixos/openssh: Add sntrup761x25519-sha512 kexAlgo

Introduced in OpenSSH 9.0 it became the part of the default kexAlgorithm selection, visibile in sshd_config(5). It is also enabled by default in the OpenSSH client, as can be seen from $ ssh -Q KexAlgorithms Also clarifies that we use the referenced documents as the lower bound, given that they haven't been updated for 5-7y.
2 years ago · fa7ce6bc7f
parent 5d589feb6e
commit fa7ce6bc7f
1 changed files with 2 additions and 1 deletions
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -293,6 +293,7 @@ in
      kexAlgorithms = mkOption {
        type = types.listOf types.str;
        default = [
+          "sntrup761x25519-sha512@openssh.com"
          "curve25519-sha256"
          "curve25519-sha256@libssh.org"
          "diffie-hellman-group-exchange-sha256"
@ -301,7 +302,7 @@ in
          Allowed key exchange algorithms
          </para>
          <para>
-          Defaults to recommended settings from both
+          Uses the lower bound recommended in both
          <link xlink:href="https://stribika.github.io/2015/01/04/secure-secure-shell.html" />
          and
          <link xlink:href="https://infosec.mozilla.org/guidelines/openssh#modern-openssh-67" />