2024-04-22 04:21:07 +02:00
|
|
|
{
|
|
|
|
|
# Hardened OpenSSH server
|
|
|
|
|
# Resources:
|
|
|
|
|
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations
|
|
|
|
|
services.openssh = {
|
|
|
|
|
enable = true;
|
2024-04-22 05:51:31 +02:00
|
|
|
# banner = "hello world";
|
2024-04-22 04:21:07 +02:00
|
|
|
|
|
|
|
|
allowSFTP = false;
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
PermitRootLogin = "no";
|
|
|
|
|
|
|
|
|
|
# Public key authentiation only
|
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
|
ChallengeResponseAuthentication = false;
|
|
|
|
|
};
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
# Only allow SSH v2
|
|
|
|
|
Protocol 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check file modes in /etc/ssh
|
|
|
|
|
StrictModes yes
|
|
|
|
|
|
|
|
|
|
UsePrivilegeSeparation sandbox
|
|
|
|
|
PrintLastLog yes
|
|
|
|
|
|
|
|
|
|
# Don't mess with environment variables
|
|
|
|
|
PermitUserEnvironment no
|
|
|
|
|
# AcceptEnv
|
|
|
|
|
|
|
|
|
|
AllowTcpForwarding no
|
|
|
|
|
|
|
|
|
|
# wip
|
|
|
|
|
AllowTcpForwarding yes
|
|
|
|
|
X11Forwarding no
|
|
|
|
|
AllowAgentForwarding no
|
|
|
|
|
AllowStreamLocalForwarding no
|
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
# ssh R6: StrictHostKeyChecking ask
|
|
|
|
|
|
