From 7d0540d7e7fadba67a8fd6a9153ef636d38e56bf Mon Sep 17 00:00:00 2001 From: Jean-Paul Calderone <exarkun@twistedmatrix.com> Date: Tue, 9 Jun 2020 08:54:10 -0400 Subject: [PATCH] Do some actual SSH configuration improvement --- nixos/modules/ssh.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix index 497efdf7..fc028fd5 100644 --- a/nixos/modules/ssh.nix +++ b/nixos/modules/ssh.nix @@ -16,6 +16,22 @@ # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html services.openssh = { enable = true; + + # We don't use SFTP for anything. No reason to expose it. + allowSFTP = false; + + # We only allow key-based authentication. + challengeResponseAuthentication = false; + passwordAuthentication = false; + + extraConfig = '' + # Possibly this is superfluous considering we don't allow + # password-based authentication at all. + PermitEmptyPasswords no + + # Don't allow authentication as random system users. + AllowUsers root + ''; }; users.users.root.openssh.authorizedKeys.keys = [ -- GitLab