forked from CCCHH/nix-infra
53 lines
1.6 KiB
Nix
53 lines
1.6 KiB
Nix
# Common SSH configuration.
|
|
# Sources for this configuration:
|
|
# - https://nixos.org/manual/nixos/stable/#sec-ssh
|
|
# - https://infosec.mozilla.org/guidelines/openssh
|
|
# - Julians deploy_ssh_server_config Ansible role
|
|
|
|
{ config, pkgs, ... }:
|
|
|
|
{
|
|
services.openssh = {
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
settings = {
|
|
# Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
|
|
KexAlgorithms = [
|
|
"curve25519-sha256@libssh.org"
|
|
"ecdh-sha2-nistp521"
|
|
"ecdh-sha2-nistp384"
|
|
"ecdh-sha2-nistp256"
|
|
"diffie-hellman-group-exchange-sha256"
|
|
];
|
|
# Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
|
|
# Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
|
|
|
|
# X11 Forwarding shouldn't be needed.
|
|
X11Forwarding = false;
|
|
|
|
# Don't allow root login.
|
|
PermitRootLogin = "no";
|
|
|
|
PasswordAuthentication = false;
|
|
KbdInteractiveAuthentication = false;
|
|
|
|
# Set this according to Mozilla Modern guideline as of 2023-09-09.
|
|
# The guidelines description:
|
|
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
|
|
# clear audit track of which key was using to log in.
|
|
LogLevel = "VERBOSE";
|
|
};
|
|
|
|
# Set those according to Mozilla Modern guideline as of 2023-09-09.
|
|
# The guidelines description:
|
|
# Log sftp level file access (read/write/etc.) that would not be easily
|
|
# logged otherwise.
|
|
sftpFlags = [
|
|
"-f AUTHPRIV"
|
|
"-l INFO"
|
|
];
|
|
};
|
|
}
|