2024-04-24 12:34:43 +02:00
|
|
|
{pkgs, ...}: {
|
2024-04-22 04:21:07 +02:00
|
|
|
# Hardened OpenSSH server
|
|
|
|
|
# Resources:
|
2024-04-23 16:19:33 +02:00
|
|
|
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
|
2024-04-22 04:21:07 +02:00
|
|
|
services.openssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
allowSFTP = false;
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
PermitRootLogin = "no";
|
|
|
|
|
|
2024-04-24 12:34:43 +02:00
|
|
|
|
|
|
|
|
AllowUsers = [ "user" "tasia" ];
|
|
|
|
|
|
2024-04-22 04:21:07 +02:00
|
|
|
# Public key authentiation only
|
|
|
|
|
PasswordAuthentication = false;
|
|
|
|
|
ChallengeResponseAuthentication = false;
|
2024-04-24 12:34:43 +02:00
|
|
|
KbdInteractiveAuthentication = true;
|
2024-04-22 04:21:07 +02:00
|
|
|
};
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
# Only allow SSH v2
|
|
|
|
|
Protocol 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Check file modes in /etc/ssh
|
|
|
|
|
StrictModes yes
|
|
|
|
|
|
|
|
|
|
UsePrivilegeSeparation sandbox
|
|
|
|
|
PrintLastLog yes
|
|
|
|
|
|
|
|
|
|
# Don't mess with environment variables
|
|
|
|
|
PermitUserEnvironment no
|
|
|
|
|
# AcceptEnv
|
|
|
|
|
|
|
|
|
|
AllowTcpForwarding no
|
|
|
|
|
|
|
|
|
|
# wip
|
|
|
|
|
AllowTcpForwarding yes
|
|
|
|
|
X11Forwarding no
|
|
|
|
|
AllowAgentForwarding no
|
|
|
|
|
AllowStreamLocalForwarding no
|
|
|
|
|
AuthenticationMethods publickey
|
|
|
|
|
'';
|
|
|
|
|
};
|
2024-04-24 12:34:43 +02:00
|
|
|
|
|
|
|
|
security.pam = {
|
|
|
|
|
services.sshd.googleAuthenticator.enable = true;
|
|
|
|
|
};
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
google-authenticator
|
|
|
|
|
];
|
2024-04-22 04:21:07 +02:00
|
|
|
}
|
|
|
|
|
# ssh R6: StrictHostKeyChecking ask
|
|
|
|
|
|
