How to override openssh package used in services.openssh

Many services in nixos modules have a configurable package (e.g. services.openldap.package). services.openssh.package does not appear to exist. Given that this morning, the openssh CVE fixes had not yet made it through Hydra, what’s the most expedient way for me to use a different package for openssh?

The service uses programs.ssh.package.

2 Likes

IIUC this is true for 24.05, but if you’re on unstable you can use services.openssh.package added in nixos/ssh: add services.openssh.package by tomfitzhenry · Pull Request #309036 · NixOS/nixpkgs · GitHub

Thanks, it makes sense in hindsight, but was non-obvious to me. My public-facing machines are now running openssh-9.8p1

Maybe we should document how people can pull in the new OpenSSH alone from -small. It’s a bit tricky as it depends on whether you’re using channels or flakes or npins or whatever, and in a few hours the main channels will have been bumped and it won’t be relevant any more. Something to keep in mind for next time, I suppose…

I wouldn’t recommend hastily updating services ahead of upstream. It may cause additional issues, it may even cause additional vulnerabilities. Note that the issue in question takes days if not weeks to exploit, so patching it faster won’t yield more security.

There is no guarantee that the exploits won’t improve (indeed, I suspect they quickly will) and the only reason it’s not available in the large channels is just because they’re slow to build. It’s fine to manually backport the hotfix patch update from 24.05 and I recommend it if you can’t use -small and want a fix before the channel bumps in a few hours.

On unstable, you should make sure none of the potentially backwards‐incompatible changes in the 9.8p1 release notes are an issue for you, and make sure you don’t use initrd SSH (Fix SSH in initrd by r-vdp · Pull Request #323796 · NixOS/nixpkgs · GitHub hasn’t hit the large channel yet); then backporting the 9.8p1 bump is fine. It’s subtler than on 24.05 because we just took the major version bump and it caused that regression.