feat: add ssh client config

2024-02-03 17:21:24 -05:00 · 2024-02-03 17:21:24 -05:00 · 6e394ad1b0
commit 6e394ad1b0
parent 7ad5c9a1a7
2 changed files with 79 additions and 0 deletions
--- a/common/nixos/ssh_client.nix
+++ b/common/nixos/ssh_client.nix
@ -0,0 +1,78 @@
+{...}: {
+  programs.ssh = {
+    # disable unnecessary forwardings
+    forwardX11 = false;
+
+    # explicitly define cryptography algorithms to avoid the use of weak algorithms
+    # AES CTR modes have been removed to mitigate the Terrapin attack
+    # https://terrapin-attack.com/
+    ciphers = [
+      "aes256-gcm@openssh.com"
+      "aes128-gcm@openssh.com"
+    ];
+    hostKeyAlgorithms = [
+      "ssh-ed25519"
+      "ssh-ed25519-cert-v01@openssh.com"
+      "sk-ssh-ed25519@openssh.com"
+      "sk-ssh-ed25519-cert-v01@openssh.com"
+      "rsa-sha2-256"
+      "rsa-sha2-256-cert-v01@openssh.com"
+      "rsa-sha2-512"
+      "rsa-sha2-512-cert-v01@openssh.com"
+    ];
+    macs = [
+      "hmac-sha2-256-etm@openssh.com"
+      "hmac-sha2-512-etm@openssh.com"
+      "umac-128-etm@openssh.com"
+    ];
+    # short moduli should be deactivated before enabling the use of diffie-hellman-group-exchange-sha256
+    # see this link for more details: https://github.com/k4yt3x/ssh_config#deactivating-short-diffie-hellman-moduli
+    kexAlgorithms = [
+      "curve25519-sha256"
+      "curve25519-sha256@libssh.org"
+      "diffie-hellman-group16-sha512"
+      "diffie-hellman-group18-sha512"
+    ];
+    extraConfig = "
+      # disable unnecessary forwardings
+      ForwardAgent no
+      ForwardX11Trusted no
+      GatewayPorts no
+      Tunnel no
+
+      # disable unnecessary authentication methods
+      ChallengeResponseAuthentication no
+      GSSAPIAuthentication no
+      HostbasedAuthentication no
+
+      # define authentication methods to be used
+      PasswordAuthentication yes
+      PubkeyAuthentication yes
+      PreferredAuthentications publickey,password
+
+      # disable pre-connection compression as it could cause security issues
+      Compression no
+
+      # in addition to checking a host's hostname, also check the host's IP address
+      # this provides extra safety against DNS spoofing attacks
+      CheckHostIP yes
+
+      # ask the user if the user wants to accept the new host's host key
+      StrictHostKeyChecking ask
+
+      # hash the entries in the known_hosts file to prevent disclosure
+      # of the file's content
+      HashKnownHosts yes
+
+      # send a keepalive message to the server when the session has been idle for 60 seconds
+      # this prevents/detects connection timeouts
+      ServerAliveInterval 60
+
+      # increase the number of password retries
+      NumberOfPasswordPrompts 5
+
+      # display an ASCII art of the server's host key
+      VisualHostKey yes
+    ";
+  };
+}