ssh: add kexAlgorithms to matchBlocks

This commit adds the option to add kexAlgorithms as an matchBlock option with updated test case.
2025-10-27 20:49:00 +01:00 · 2025-10-27 20:49:00 +01:00 · 2d36a6de2f
commit 2d36a6de2f
parent 91cdb0e2d5
3 changed files with 21 additions and 0 deletions
--- a/modules/programs/ssh.nix
+++ b/modules/programs/ssh.nix
@ -383,6 +383,18 @@ let
        example = "10m";
        description = "Whether control socket should remain open in the background.";
      };
+
+      kexAlgorithms = mkOption {
+        type = types.nullOr (types.listOf types.str);
+        default = null;
+        example = [
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group-exchange-sha256"
+        ];
+        description = ''
+          Specifies the available KEX (Key Exchange) algorithms.
+        '';
+      };
    };

    #    config.host = mkDefault dagName;
@ -430,6 +442,9 @@ let
      ++ map (f: "  LocalForward" + addressPort f.bind + addressPort f.host) cf.localForwards
      ++ map (f: "  RemoteForward" + addressPort f.bind + addressPort f.host) cf.remoteForwards
      ++ map (f: "  DynamicForward" + addressPort f) cf.dynamicForwards
+      ++ optional (
+        cf.kexAlgorithms != null
+      ) "  KexAlgorithms ${builtins.concatStringsSep "," cf.kexAlgorithms}"
      ++ [
        (lib.generators.toKeyValue {
          mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
--- a/tests/modules/programs/ssh/match-blocks-attrs-expected.conf
+++ b/tests/modules/programs/ssh/match-blocks-attrs-expected.conf
@ -15,6 +15,7 @@ Host xyz
  RemoteForward [localhost]:8081 [10.0.0.2]:80
  RemoteForward /run/user/1000/gnupg/S.gpg-agent.extra /run/user/1000/gnupg/S.gpg-agent
  DynamicForward [localhost]:2839
+  KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256

 Host ordered
  Port 1
--- a/tests/modules/programs/ssh/match-blocks-attrs.nix
+++ b/tests/modules/programs/ssh/match-blocks-attrs.nix
@ -34,6 +34,11 @@
              host.address = "/run/user/1000/gnupg/S.gpg-agent";
            }
          ];
+          kexAlgorithms = [
+            "sntrup761x25519-sha512"
+            "sntrup761x25519-sha512@openssh.com"
+            "mlkem768x25519-sha256"
+          ];
          dynamicForwards = [ { port = 2839; } ];
          setEnv = {
            FOO = "foo12";