nixos-config/common/services/sshd.nix

{pkgs, ...}: {
  # Hardened OpenSSH server
  # Resources:
  # https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
  # ...more soon...
  services.openssh = {
    enable = true;

    allowSFTP = false;

    settings = {
      PermitRootLogin = "no";

      AllowUsers = ["user" "tasia"];

      # Public key authentiation only
      PasswordAuthentication = false;

      ChallengeResponseAuthentication = true;
      KbdInteractiveAuthentication = true;
      AuthenticationMethods = "publickey,keyboard-interactive";
    };
    extraConfig = ''
      # Only allow SSH v2
      Protocol 2

      # Check file modes in /etc/ssh
      StrictModes yes

      UsePrivilegeSeparation sandbox
      PrintLastLog yes

      # Don't allow clients to mess with environment variables
      PermitUserEnvironment no
      # AcceptEnv

      AllowTcpForwarding no

      # wip
      # AllowTcpForwarding yes
      X11Forwarding no
      AllowAgentForwarding no
      AllowStreamLocalForwarding no

      # Yubikey
      PubkeyAuthOptions verify-required
    '';
  };

  # needed for 2fa
  security.pam.services = {
    sshd.text = ''
      # Check for the client's public key
      account required pam_unix.so # unix (order 10900)

      # Actually check for the 2FA code.
      # "nullok": accept session if .google_authenticator doesn't exist
      # "no_increment_hotp": make sure the counter isn't incremented for failed attempts.
      auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
      # If .google_authenticator isn't present, you can still let them through
      auth sufficient pam_permit.so

      # Load the environment variables for the new ssh session
      session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
      # Logs when a user logins or leave the system.
      session required pam_unix.so # unix (order 10200)
      # Record user's login uid to the process attribute
      session required pam_loginuid.so # loginuid (order 10300)
      # Register user sessions in the systemd login manager
      session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
    '';
  };

  # CLI tools
  environment.systemPackages = with pkgs; [
    google-authenticator
    ssh-audit
  ];

  # Check whether this is actually doing anything
  services.fail2ban = {
    enable = true;
    ignoreIP = [
      #
    ];
  };
}
# ssh R6: StrictHostKeyChecking ask
test 2fa 2024-04-24 12:34:43 +02:00			`{pkgs, ...}: {`
update 2024-04-22 04:21:07 +02:00			`# Hardened OpenSSH server`
			`# Resources:`
awawa 2024-04-23 16:19:33 +02:00			`# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)`
more sshauce 2024-04-24 15:34:26 +02:00			`# ...more soon...`
update 2024-04-22 04:21:07 +02:00			`services.openssh = {`
			`enable = true;`

			`allowSFTP = false;`

			`settings = {`
			`PermitRootLogin = "no";`

temp ssh 2024-04-24 15:17:34 +02:00			`AllowUsers = ["user" "tasia"];`
test 2fa 2024-04-24 12:34:43 +02:00
update 2024-04-22 04:21:07 +02:00			`# Public key authentiation only`
			`PasswordAuthentication = false;`
temp ssh 2024-04-24 15:17:34 +02:00
			`ChallengeResponseAuthentication = true;`
test 2fa 2024-04-24 12:34:43 +02:00			`KbdInteractiveAuthentication = true;`
temp ssh 2024-04-24 15:17:34 +02:00			`AuthenticationMethods = "publickey,keyboard-interactive";`
update 2024-04-22 04:21:07 +02:00			`};`
			`extraConfig = ''`
			`# Only allow SSH v2`
			`Protocol 2`

			`# Check file modes in /etc/ssh`
			`StrictModes yes`

			`UsePrivilegeSeparation sandbox`
			`PrintLastLog yes`

keys and stuff 2024-04-26 15:06:55 +02:00			`# Don't allow clients to mess with environment variables`
update 2024-04-22 04:21:07 +02:00			`PermitUserEnvironment no`
			`# AcceptEnv`

			`AllowTcpForwarding no`

			`# wip`
test new line 2024-04-26 15:26:18 +02:00			`# AllowTcpForwarding yes`
update 2024-04-22 04:21:07 +02:00			`X11Forwarding no`
			`AllowAgentForwarding no`
			`AllowStreamLocalForwarding no`
sshd with yubikeys 2024-10-05 10:39:16 +02:00
			`# Yubikey`
			`PubkeyAuthOptions verify-required`
update 2024-04-22 04:21:07 +02:00			`'';`
			`};`
test 2fa 2024-04-24 12:34:43 +02:00
keys and stuff 2024-04-26 15:06:55 +02:00			`# needed for 2fa`
temp ssh 2024-04-24 15:17:34 +02:00			`security.pam.services = {`
			`sshd.text = ''`
keys and stuff 2024-04-26 15:06:55 +02:00			`# Check for the client's public key`
temp ssh 2024-04-24 15:17:34 +02:00			`account required pam_unix.so # unix (order 10900)`

keys and stuff 2024-04-26 15:06:55 +02:00			`# Actually check for the 2FA code.`
			`# "nullok": accept session if .google_authenticator doesn't exist`
			`# "no_increment_hotp": make sure the counter isn't incremented for failed attempts.`
temp ssh 2024-04-24 15:17:34 +02:00			`auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)`
keys and stuff 2024-04-26 15:06:55 +02:00			`# If .google_authenticator isn't present, you can still let them through`
more sshauce 2024-04-24 15:34:26 +02:00			`auth sufficient pam_permit.so`
temp ssh 2024-04-24 15:17:34 +02:00
keys and stuff 2024-04-26 15:06:55 +02:00			`# Load the environment variables for the new ssh session`
temp ssh 2024-04-24 15:17:34 +02:00			`session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)`
keys and stuff 2024-04-26 15:06:55 +02:00			`# Logs when a user logins or leave the system.`
temp ssh 2024-04-24 15:17:34 +02:00			`session required pam_unix.so # unix (order 10200)`
keys and stuff 2024-04-26 15:06:55 +02:00			`# Record user's login uid to the process attribute`
temp ssh 2024-04-24 15:17:34 +02:00			`session required pam_loginuid.so # loginuid (order 10300)`
keys and stuff 2024-04-26 15:06:55 +02:00			`# Register user sessions in the systemd login manager`
temp ssh 2024-04-24 15:17:34 +02:00			`session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)`
			`'';`
test 2fa 2024-04-24 12:34:43 +02:00			`};`
temp ssh 2024-04-24 15:17:34 +02:00
mhm yaseen 2024-04-29 14:31:33 +02:00			`# CLI tools`
test 2fa 2024-04-24 12:34:43 +02:00			`environment.systemPackages = with pkgs; [`
			`google-authenticator`
mhm yaseen 2024-04-29 14:31:33 +02:00			`ssh-audit`
test 2fa 2024-04-24 12:34:43 +02:00			`];`
mhm yaseen 2024-04-29 14:31:33 +02:00
			`# Check whether this is actually doing anything`
			`services.fail2ban = {`
			`enable = true;`
			`ignoreIP = [`
			`#`
			`];`
			`};`
update 2024-04-22 04:21:07 +02:00			`}`
			`# ssh R6: StrictHostKeyChecking ask`
keys and stuff 2024-04-26 15:06:55 +02:00