commit ce6ce0fb074d242aa13b968e3a9e3a267c285f25
parent 547d7d0dce2ad2a76c80460bb243279073a6f596
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 11 Mar 2025 22:51:36 +0100
parent 547d7d0dce2ad2a76c80460bb243279073a6f596
Author: Katja (ctucx) <git@ctu.cx>
Date: Tue, 11 Mar 2025 22:51:36 +0100
nixos: harden sshd-config
3 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/configurations/nixos/default.nix b/configurations/nixos/default.nix @@ -1,7 +1,7 @@ { inputs, secrets, nodeName, config, ctucxConfig, lib, pkgs, ... }: let - katja-pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIHFm/bePR+HT5MAuMslUHt68nTrEhlqcKIS+9Rfi9FzRKAia/DdLbwpfC1iXuM+iQd8fIMp4Ir+kBMqoZaVzyCtqKH6QHbhwBiWIdMA7FndMbfDcO9BzUcqCAVt8HxcGd1Z4bE9ZgZZuIsJiPbqJ+QbK1rkY8uJLDVR2MXI5jpU/m+9RJzrwVZ6JxwjdY4cNaIYwoOW6ZxL+ukLRwy+spBWmWdcHeq6zeLsl/OjUV6WIh2pM9O0o9nsiDekhOBf2MJLlM+e8rWICwYsfLqGAeRAuDe03BFBXsbDg/lqTYB5G8XSaT2R8ty2RyeEBySS32pUyErdKVXnyHNBEvxC6+cJiZtL8rhkpU1qRg/MIUjprMVUWisMlYnai2K0VpNpc5w09YXQl7aXSge8L/5+IzugPj17+FK4FVwRptXxynnYeKiwWEsOiiFe3IVaQ6vyRN66fbMjx/d0JSfadbwV7L++aT85bsb05zhNDpaqK1I5sGs3uV3CglkmhxBmky67Eq/qkMlJZMVtgE7i88H8+XzTiofJaKYTeyq+XQnK6a6OVGyca2dEorBFmBTEtz70nQnSrhPqQrS4zgr4OTSFtUtdFVDzgHaxRC+y4/SP5zCA8Xfwp0q1M0jVE9XpVpGydXtGGV08uXOsDPv5E4euxq6qgv8d2azDeBHXp+kEHm4w== (none)"; + katja-pubkey = builtins.readFile "${pkgs.ctucx-website}/ssh_pubkey.asc"; in { @@ -101,10 +101,18 @@ in { enable = lib.mkDefault true; startWhenNeeded = lib.mkDefault true; ports = [ 22 ]; - extraConfig = "StreamLocalBindUnlink yes"; + extraConfig = '' + AllowTcpForwarding yes + AllowAgentForwarding no + AllowStreamLocalForwarding no + AuthenticationMethods publickey + ''; settings = { - PasswordAuthentication = false; + AllowUsers = [ "root" "katja" ]; + X11Forwarding = false; PermitRootLogin = "without-password"; + PasswordAuthentication = false; + challengeResponseAuthentication = false; }; }; };
diff --git a/configurations/nixos/websites/git.ctu.cx.nix b/configurations/nixos/websites/git.ctu.cx.nix @@ -110,6 +110,7 @@ let in { + services.openssh.settings.AllowUsers = [ "git" ]; services.openssh.settings.Macs = [ "hmac-sha2-512" "hmac-sha2-512-etm@openssh.com"
diff --git a/machines/briefkasten/scanner-sftp.nix b/machines/briefkasten/scanner-sftp.nix @@ -41,6 +41,8 @@ "diffie-hellman-group-exchange-sha1" ]; + settings.AllowUsers = [ "ads1700w" ]; + extraConfig = '' PubkeyAcceptedKeyTypes=+ssh-rsa HostKeyAlgorithms=+ssh-rsa