initial commit

2026-04-15 18:26:05 -04:00 · 2026-04-15 18:26:05 -04:00 · ebc1be5217
commit ebc1be5217
143 changed files with 7721 additions and 0 deletions
--- a/modules/features/security/security-ssh-client.nix
+++ b/modules/features/security/security-ssh-client.nix
@ -0,0 +1,87 @@
+{ ... }:
+{
+  config.dendritic.features.security-ssh-client = {
+
+    nixosModules = [
+      (
+        { ... }:
+        {
+          programs.ssh = {
+            # disable unnecessary forwardings
+            forwardX11 = false;
+
+            # explicitly define cryptography algorithms to avoid the use of weak algorithms
+            # AES CTR modes have been removed to mitigate the Terrapin attack
+            # https://terrapin-attack.com/
+            ciphers = [
+              "aes256-gcm@openssh.com"
+              "aes128-gcm@openssh.com"
+            ];
+            hostKeyAlgorithms = [
+              "ssh-ed25519"
+              "ssh-ed25519-cert-v01@openssh.com"
+              "sk-ssh-ed25519@openssh.com"
+              "sk-ssh-ed25519-cert-v01@openssh.com"
+              "rsa-sha2-256"
+              "rsa-sha2-256-cert-v01@openssh.com"
+              "rsa-sha2-512"
+              "rsa-sha2-512-cert-v01@openssh.com"
+            ];
+            macs = [
+              "hmac-sha2-256-etm@openssh.com"
+              "hmac-sha2-512-etm@openssh.com"
+              "umac-128-etm@openssh.com"
+            ];
+            kexAlgorithms = [
+              "sntrup761x25519-sha512@openssh.com"
+              "curve25519-sha256"
+              "curve25519-sha256@libssh.org"
+              "diffie-hellman-group16-sha512"
+              "diffie-hellman-group18-sha512"
+            ];
+            extraConfig = "
+      # disable unnecessary forwardings
+      ForwardAgent no
+      ForwardX11Trusted no
+      GatewayPorts no
+      Tunnel no
+
+      # disable unnecessary authentication methods
+      ChallengeResponseAuthentication no
+      HostbasedAuthentication no
+
+      # define authentication methods to be used
+      PasswordAuthentication yes
+      PubkeyAuthentication yes
+      PreferredAuthentications publickey,password
+
+      # disable pre-connection compression as it could cause security issues
+      Compression no
+
+      # in addition to checking a host's hostname, also check the host's IP address
+      # this provides extra safety against DNS spoofing attacks
+      CheckHostIP yes
+
+      # ask the user if the user wants to accept the new host's host key
+      StrictHostKeyChecking ask
+
+      # hash the entries in the known_hosts file to prevent disclosure
+      # of the file's content
+      HashKnownHosts yes
+
+      # send a keepalive message to the server when the session has been idle for 60 seconds
+      # this prevents/detects connection timeouts
+      ServerAliveInterval 60
+
+      # increase the number of password retries
+      NumberOfPasswordPrompts 5
+
+      # display an ASCII art of the server's host key
+      VisualHostKey yes
+        ";
+          };
+        }
+      )
+    ];
+  };
+}