NixOS
patching authorizedKeysCommand to use /etc/ssl/certs/ca-bundle.crt
... also fixes sshd_config authorizedKeysCommand option to use the symlink name
Thanks! Have you had time to test this yet? I will have bandwidth after 24.05 to look at this hopefully
TLDR: Yes, I tested it and a configuration of KexAlgorithms was also needed.
Yeah, I got it working with the changes. I wrote a simple onefile flake to test changes first. https://github.com/zickzackv/eic-flake
I sadly run into a strange problem with the NixOS given KeyExchangeAlgorithms openssh configuration. AWS as ssh-client into an instance (e.g. in instance-connect from the console) only offered weaker KeyExchangeAlgorithms in eu-central-1. Leading to no instance-connect connection since the ssh handshake broke.
I extended the KexAlg list (https://github.com/zickzackv/eic-flake/blob/dc1c233e5fa58e5d28bbda726e8375864da4ae60/flake.nix#L53) with one weaker Algorithm in order to create an instance-connect connection. According to the blogpost in openssh configuration option (https://github.com/NixOS/nixpkgs/blob/5710852ba686cc1fd0d3b8e22b3117d43ba374c2/nixos/modules/services/networking/ssh/sshd.nix#L409) these are week algorithms.
ecdh-sha2-nistp521 is not weak. it's just some people are scared of anything NIST and try to avoid NIST curves whenever they can. This has more to do with politics than actual security arguments iirc.
There are no known weaknesses against ecdh-sha2-nistp521 as far as I am aware. and NIST curves are required for things like FIPS and other certifications so it makes sense AWS might be using that.
We can either add that override to the amazon-image config or we can see if we can add that KEX to the upstream openssh module.
By the way this should be enough due to NixOS' list merging:
services.openssh.settings.KexAlgorithms =["ecdh-sha2-nistp521"];
it will append the Kex to the existing list
I am gonna make a PR to nixpkgs with these changes. I think it should live there instead of here.