diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 497efdf7ace456cb656baa4448b2650316e7d98b..fc028fd5aaaa68287fefe6f8a9040eb51135768c 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -16,6 +16,22 @@
     # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
     services.openssh = {
       enable = true;
+
+      # We don't use SFTP for anything.  No reason to expose it.
+      allowSFTP = false;
+
+      # We only allow key-based authentication.
+      challengeResponseAuthentication = false;
+      passwordAuthentication = false;
+
+      extraConfig = ''
+        # Possibly this is superfluous considering we don't allow
+        # password-based authentication at all.
+        PermitEmptyPasswords no
+
+        # Don't allow authentication as random system users.
+        AllowUsers root
+      '';
     };
 
     users.users.root.openssh.authorizedKeys.keys = [