nix-infra/config/common/ssh.nix

53 lines
1.6 KiB
Nix

# Common SSH configuration.
# Sources for this configuration:
# - https://nixos.org/manual/nixos/stable/#sec-ssh
# - https://infosec.mozilla.org/guidelines/openssh
# - Julians deploy_ssh_server_config Ansible role
{ config, pkgs, ... }:
{
services.openssh = {
enable = true;
openFirewall = true;
settings = {
# Set KexAlgorithms to match Mozilla Modern guideline as of 2023-09-09.
KexAlgorithms = [
"curve25519-sha256@libssh.org"
"ecdh-sha2-nistp521"
"ecdh-sha2-nistp384"
"ecdh-sha2-nistp256"
"diffie-hellman-group-exchange-sha256"
];
# Macs seem reasonable as the default of NixOS 23.05 is a subset of the Mozilla Modern guideline as of 2023-09-09.
# Ciphers seem reasonable as the default of NixOS 23.05 matches the Mozilla Modern guideline as of 2023-09-09.
# X11 Forwarding shouldn't be needed.
X11Forwarding = false;
# Don't allow root login.
PermitRootLogin = "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
# Set this according to Mozilla Modern guideline as of 2023-09-09.
# The guidelines description:
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
# clear audit track of which key was using to log in.
LogLevel = "VERBOSE";
};
# Set those according to Mozilla Modern guideline as of 2023-09-09.
# The guidelines description:
# Log sftp level file access (read/write/etc.) that would not be easily
# logged otherwise.
sftpFlags = [
"-f AUTHPRIV"
"-l INFO"
];
};
}