tasiaiso/nixos-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
nixos-config/common/services/sshd.nix
Tasia Iso 35941a67c9
test 
new line
2024-04-26 15:26:18 +02:00

78 lines
2.3 KiB
Nix
Raw Blame History

{pkgs, ...}: {
# Hardened OpenSSH server
# Resources:
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
# ...more soon...
services.openssh = {
enable = true;
allowSFTP = false;
settings = {
PermitRootLogin = "no";
AllowUsers = ["user" "tasia"];
# Public key authentiation only
PasswordAuthentication = false;
ChallengeResponseAuthentication = true;
KbdInteractiveAuthentication = true;
AuthenticationMethods = "publickey,keyboard-interactive";
};
extraConfig = ''
# Only allow SSH v2
Protocol 2
# Check file modes in /etc/ssh
StrictModes yes
UsePrivilegeSeparation sandbox
PrintLastLog yes
# Don't allow clients to mess with environment variables
PermitUserEnvironment no
# AcceptEnv
AllowTcpForwarding no
# wip
# AllowTcpForwarding yes
X11Forwarding no
AllowAgentForwarding no
AllowStreamLocalForwarding no
'';
};
# needed for 2fa
security.pam.services = {
sshd.text = ''
# Check for the client's public key
account required pam_unix.so # unix (order 10900)
# Actually check for the 2FA code.
# "nullok": accept session if .google_authenticator doesn't exist
# "no_increment_hotp": make sure the counter isn't incremented for failed attempts.
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
# If .google_authenticator isn't present, you can still let them through
auth sufficient pam_permit.so
# Load the environment variables for the new ssh session
session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
# Logs when a user logins or leave the system.
session required pam_unix.so # unix (order 10200)
# Record user's login uid to the process attribute
session required pam_loginuid.so # loginuid (order 10300)
# Register user sessions in the systemd login manager
session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
'';
};
# CLI tool
environment.systemPackages = with pkgs; [
google-authenticator
];
}
# ssh R6: StrictHostKeyChecking ask
Reference in a new issue View git blame Copy permalink