Skip to content
Snippets Groups Projects
Select Git revision
1 result Searching

README.rst

Blame
  • Forked from PrivateStorage / PrivateStorageio
    Source project has a limited visibility.
    ssh.nix 1.50 KiB
    # A NixOS module which configures SSH access to a system.
    {
      lib,
      config,
      ...
    }: {
      options = {
        services.private-storage.sshUsers = lib.mkOption {
          type = lib.types.attrsOf (lib.types.listOf lib.types.str);
          example = { root = "ssh-ed25519 AAA..."; };
          description = ''
            Users to configure on the issuer server and the storage servers and
            the SSH public keys to use to authenticate them.
          '';
        };
      };
      config =
      let
         cfg = config.services."private-storage";
      in {
        # An attempt at a properly secure SSH configuration.  This is informed by
        # personal experience as well as various web resources:
        #
        # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
        services.openssh = {
          enable = true;
    
          # We only allow key-based authentication.
          kbdInteractiveAuthentication = false;
          passwordAuthentication = false;
    
          extraConfig = ''
            # Possibly this is superfluous considering we don't allow
            # password-based authentication at all.
            PermitEmptyPasswords no
    
            # Agent forwarding is fraught.  It can be used by an attacker to
            # leverage one compromised system into more.  Discourage its use.
            AllowAgentForwarding no
          '';
        };
    
        users.users =
          let makeUserConfig = username: sshPublicKeys: {
            isNormalUser = username != "root";
            openssh.authorizedKeys.keys = sshPublicKeys;
          };
          in builtins.mapAttrs makeUserConfig cfg.sshUsers;
      };
    }