From 6e394ad1b0d5511eb62df0ee90589f9ae1c91e87 Mon Sep 17 00:00:00 2001
From: gwg313 <gwg313@pm.me>
Date: Sat, 3 Feb 2024 17:21:24 -0500
Subject: [PATCH] feat: add ssh client config

---
 common/nixos/ssh_client.nix        | 78 ++++++++++++++++++++++++++++++
 hosts/candlekeep/configuration.nix |  1 +
 2 files changed, 79 insertions(+)
 create mode 100644 common/nixos/ssh_client.nix

diff --git a/common/nixos/ssh_client.nix b/common/nixos/ssh_client.nix
new file mode 100644
index 0000000..4ae8eae
--- /dev/null
+++ b/common/nixos/ssh_client.nix
@@ -0,0 +1,78 @@
+{...}: {
+  programs.ssh = {
+    # disable unnecessary forwardings
+    forwardX11 = false;
+
+    # explicitly define cryptography algorithms to avoid the use of weak algorithms
+    # AES CTR modes have been removed to mitigate the Terrapin attack
+    # https://terrapin-attack.com/
+    ciphers = [
+      "aes256-gcm@openssh.com"
+      "aes128-gcm@openssh.com"
+    ];
+    hostKeyAlgorithms = [
+      "ssh-ed25519"
+      "ssh-ed25519-cert-v01@openssh.com"
+      "sk-ssh-ed25519@openssh.com"
+      "sk-ssh-ed25519-cert-v01@openssh.com"
+      "rsa-sha2-256"
+      "rsa-sha2-256-cert-v01@openssh.com"
+      "rsa-sha2-512"
+      "rsa-sha2-512-cert-v01@openssh.com"
+    ];
+    macs = [
+      "hmac-sha2-256-etm@openssh.com"
+      "hmac-sha2-512-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+    ];
+    # short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256
+    # see this link for more details: https://github.com/k4yt3x/ssh_config#deactivating-short-diffie-hellman-moduli
+    kexAlgorithms = [
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group16-sha512"
+      "diffie-hellman-group18-sha512"
+    ];
+    extraConfig = "
+      # disable unnecessary forwardings
+      ForwardAgent no
+      ForwardX11Trusted no
+      GatewayPorts no
+      Tunnel no
+
+      # disable unnecessary authentication methods
+      ChallengeResponseAuthentication no
+      GSSAPIAuthentication no
+      HostbasedAuthentication no
+
+      # define authentication methods to be used
+      PasswordAuthentication yes
+      PubkeyAuthentication yes
+      PreferredAuthentications publickey,password
+
+      # disable pre-connection compression as it could cause security issues
+      Compression no
+
+      # in addition to checking a host's hostname, also check the host's IP address
+      # this provides extra safety against DNS spoofing attacks
+      CheckHostIP yes
+
+      # ask the user if the user wants to accept the new host's host key
+      StrictHostKeyChecking ask
+
+      # hash the entries in the known_hosts file to prevent disclosure
+      # of the file's content
+      HashKnownHosts yes
+
+      # send a keepalive message to the server when the session has been idle for 60 seconds
+      # this prevents/detects connection timeouts
+      ServerAliveInterval 60
+
+      # increase the number of password retries
+      NumberOfPasswordPrompts 5
+
+      # display an ASCII art of the server's host key
+      VisualHostKey yes
+    ";
+  };
+}
diff --git a/hosts/candlekeep/configuration.nix b/hosts/candlekeep/configuration.nix
index cc09675..039db28 100644
--- a/hosts/candlekeep/configuration.nix
+++ b/hosts/candlekeep/configuration.nix
@@ -19,6 +19,7 @@
     ../../common/nixos/bluetooth.nix
     ../../common/nixos/restic.nix
     ../../common/nixos/ssh.nix
+    ../../common/nixos/ssh_client.nix
     ../../common/gui/hyprland.nix
     ../../common/gui/thunar.nix
     ../../common/style/stylix.nix