notohh/snowflake
notohh/snowflake
1
0
Fork 0
Code Issues Pull requests 1 Packages Projects 1 Releases Wiki Activity

sec: suggested improvements on openssh daemon #3

New issue
Closed
opened 2023-06-24 18:43:23 -04:00 by Ghost · 1 comment
Ghost commented 2023-06-24 18:43:23 -04:00
Copy link

593f02b740/modules/openssh.nix (L1)

your setup is fine, but if you'd like a very hardened/explicit yet usable setup here is mine for reference.

{
  services.openssh = {
    enable = true;
    allowSFTP = false;
    ports = [
      22
    ];
    settings = {
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "yes";
      PasswordAuthentication = false;
      X11Forwarding = false;
      Ciphers = [
        "chacha20-poly1305@openssh.com"
        "aes256-gcm@openssh.com"
        "aes128-gcm@openssh.com"
        "aes256-ctr"
        "aes192-ctr"
        "aes128-ctr"
      ];
      KexAlgorithms = [
        "sntrup761x25519-sha512@openssh.com"
        "curve25519-sha256"
        "curve25519-sha256@libssh.org"
        "diffie-hellman-group-exchange-sha256"
      ];
      Macs = [
        "hmac-sha2-512-etm@openssh.com"
        "hmac-sha2-256-etm@openssh.com"
        "umac-128-etm@openssh.com"
        "hmac-sha2-512"
        "hmac-sha2-256"
        "umac-128@openssh.com"
      ];
    };
    extraConfig = ''
      AllowTcpForwarding yes
      AllowAgentForwarding no
      AllowStreamLocalForwarding no
      AuthenticationMethods publickey
    '';
  };
}
https://git.notohh.dev/notohh/snowflake/src/commit/593f02b7401b099961a7a15d324464c806d7af30/modules/openssh.nix#L1 your setup is fine, but if you'd like a very hardened/explicit yet usable setup here is mine for reference. ```` { services.openssh = { enable = true; allowSFTP = false; ports = [ 22 ]; settings = { KbdInteractiveAuthentication = false; PermitRootLogin = "yes"; PasswordAuthentication = false; X11Forwarding = false; Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes128-gcm@openssh.com" "aes256-ctr" "aes192-ctr" "aes128-ctr" ]; KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; Macs = [ "hmac-sha2-512-etm@openssh.com" "hmac-sha2-256-etm@openssh.com" "umac-128-etm@openssh.com" "hmac-sha2-512" "hmac-sha2-256" "umac-128@openssh.com" ]; }; extraConfig = '' AllowTcpForwarding yes AllowAgentForwarding no AllowStreamLocalForwarding no AuthenticationMethods publickey ''; }; } ````
notohh commented 2023-09-20 20:19:13 -04:00
Owner
Copy link

will look into this eventually

will look into this eventually
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
flake-lock-update
No results found.
Labels
Clear labels   
area/documentation

   
area/networking

   
bug

   
feature
  
host
ame

  
host
arashi

  
host
kariru

  
host
kaze

  
host
sakura

  
hosts
all

  
host
sora

  
host
tsuki

  
host
tsuru

  
host
yuki

  
priority
1
low

  
priority
2
medium

  
priority
3
high

  
status
blocked

  
status
needs-research

  
styling

   
treewide
No labels
area/documentation
area/networking
bug
feature
host
ame
host
arashi
host
kariru
host
kaze
host
sakura
hosts
all
host
sora
host
tsuki
host
tsuru
host
yuki
priority
1
priority
2
priority
3
status
blocked
status
needs-research
styling
treewide
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: notohh/snowflake#3
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?