From 7d0540d7e7fadba67a8fd6a9153ef636d38e56bf Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Tue, 9 Jun 2020 08:54:10 -0400
Subject: [PATCH] Do some actual SSH configuration improvement

---
 nixos/modules/ssh.nix | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index 497efdf7..fc028fd5 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -16,6 +16,22 @@
     # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
     services.openssh = {
       enable = true;
+
+      # We don't use SFTP for anything.  No reason to expose it.
+      allowSFTP = false;
+
+      # We only allow key-based authentication.
+      challengeResponseAuthentication = false;
+      passwordAuthentication = false;
+
+      extraConfig = ''
+        # Possibly this is superfluous considering we don't allow
+        # password-based authentication at all.
+        PermitEmptyPasswords no
+
+        # Don't allow authentication as random system users.
+        AllowUsers root
+      '';
     };
 
     users.users.root.openssh.authorizedKeys.keys = [
-- 
GitLab