sec: suggested improvements on openssh daemon #3

Closed
opened 2023-06-24 18:43:23 -04:00 by Ghost · 1 comment

593f02b740/modules/openssh.nix (L1)

your setup is fine, but if you'd like a very hardened/explicit yet usable setup here is mine for reference.

{
  services.openssh = {
    enable = true;
    allowSFTP = false;
    ports = [
      22
    ];
    settings = {
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "yes";
      PasswordAuthentication = false;
      X11Forwarding = false;
      Ciphers = [
        "chacha20-poly1305@openssh.com"
        "aes256-gcm@openssh.com"
        "aes128-gcm@openssh.com"
        "aes256-ctr"
        "aes192-ctr"
        "aes128-ctr"
      ];
      KexAlgorithms = [
        "sntrup761x25519-sha512@openssh.com"
        "curve25519-sha256"
        "curve25519-sha256@libssh.org"
        "diffie-hellman-group-exchange-sha256"
      ];
      Macs = [
        "hmac-sha2-512-etm@openssh.com"
        "hmac-sha2-256-etm@openssh.com"
        "umac-128-etm@openssh.com"
        "hmac-sha2-512"
        "hmac-sha2-256"
        "umac-128@openssh.com"
      ];
    };
    extraConfig = ''
      AllowTcpForwarding yes
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };
}
https://git.notohh.dev/notohh/snowflake/src/commit/593f02b7401b099961a7a15d324464c806d7af30/modules/openssh.nix#L1 your setup is fine, but if you'd like a very hardened/explicit yet usable setup here is mine for reference. ```` { services.openssh = { enable = true; allowSFTP = false; ports = [ 22 ]; settings = { KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; PasswordAuthentication = false; X11Forwarding = false; Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]; }; extraConfig = '' AllowTcpForwarding yes AllowAgentForwarding no AllowStreamLocalForwarding no AuthenticationMethods publickey ''; }; } ````
Owner

will look into this eventually

will look into this eventually
Sign in to join this conversation.
No description provided.