92 lines
2.6 KiB
Nix
92 lines
2.6 KiB
Nix
{pkgs, ...}: {
|
|
# Hardened OpenSSH server
|
|
# Resources:
|
|
# https://cyber.gouv.fr/en/publications/openssh-secure-use-recommendations (2015)
|
|
# ...more soon...
|
|
services.openssh = {
|
|
enable = true;
|
|
|
|
allowSFTP = false;
|
|
|
|
settings = {
|
|
PermitRootLogin = "no";
|
|
|
|
AllowUsers = ["user" "tasia" "dedsec"];
|
|
|
|
# Public key authentiation only
|
|
PasswordAuthentication = false;
|
|
|
|
ChallengeResponseAuthentication = true;
|
|
KbdInteractiveAuthentication = true;
|
|
AuthenticationMethods = "publickey,keyboard-interactive";
|
|
};
|
|
extraConfig = ''
|
|
# Only allow SSH v2
|
|
Protocol 2
|
|
|
|
# Check file modes in /etc/ssh
|
|
StrictModes yes
|
|
|
|
# TODO logs say its outdated
|
|
UsePrivilegeSeparation sandbox
|
|
PrintLastLog yes
|
|
|
|
# Don't allow clients to mess with environment variables
|
|
PermitUserEnvironment no
|
|
# AcceptEnv
|
|
|
|
AllowTcpForwarding no
|
|
|
|
# wip
|
|
# AllowTcpForwarding yes
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AllowStreamLocalForwarding no
|
|
|
|
# Yubikey
|
|
PubkeyAuthOptions verify-required
|
|
'';
|
|
};
|
|
|
|
# needed for 2fa
|
|
security.pam.services = {
|
|
sshd.text = ''
|
|
# Check for the client's public key
|
|
account required pam_unix.so # unix (order 10900)
|
|
|
|
# Actually check for the 2FA code.
|
|
# "nullok": accept session if .google_authenticator doesn't exist
|
|
# "no_increment_hotp": make sure the counter isn't incremented for failed attempts.
|
|
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
|
|
# If .google_authenticator isn't present, you can still let them through
|
|
auth sufficient pam_permit.so
|
|
|
|
# Load the environment variables for the new ssh session
|
|
session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
|
|
# Logs when a user logins or leave the system.
|
|
session required pam_unix.so # unix (order 10200)
|
|
# Record user's login uid to the process attribute
|
|
session required pam_loginuid.so # loginuid (order 10300)
|
|
# Register user sessions in the systemd login manager
|
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
|
|
'';
|
|
};
|
|
|
|
# CLI tools
|
|
environment.systemPackages = with pkgs; [
|
|
google-authenticator
|
|
ssh-audit
|
|
];
|
|
|
|
# Check whether this is actually doing anything
|
|
# It is, it even bans legit connections.
|
|
# services.fail2ban = {
|
|
# enable = true;
|
|
# ignoreIP = [
|
|
# #
|
|
# ];
|
|
# };
|
|
}
|
|
# ssh R6: StrictHostKeyChecking ask
|
|
|