refactor: pull openssh config into its own file

2024-01-06 16:05:21 -05:00 · 2024-01-06 16:05:21 -05:00 · fccae400f4
commit fccae400f4
parent 9b733a36b5
2 changed files with 94 additions and 92 deletions
--- a/common/nixos/ssh.nix
+++ b/common/nixos/ssh.nix
@ -0,0 +1,93 @@
 {user, ...}: {
  # https://www.ssh-audit.com/hardening_guides.html
  # https://github.com/jtesta/ssh-audit
  services.openssh = {
    enable = true;
    settings = {
      ########## Features ##########
      # disallow ssh-agent forwarding to prevent lateral movement
      AllowAgentForwarding = false;
      # prevent TCP ports from being forwarded over SSH tunnels
      # **please be aware that disabling TCP forwarding does not prevent port forwarding**
      # any user with an interactive login shell can spin up his/her own instance of sshd
      AllowTcpForwarding = false;
      # prevent StreamLocal (Unix-domain socket) forwarding
      AllowStreamLocalForwarding = false;
      # disables all forwarding features
      # overrides all other forwarding switches
      DisableForwarding = true;
      # disallow remote hosts from connecting to forwarded ports
      # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
      GatewayPorts = "no";
      # prevent tun device forwarding
      PermitTunnel = false;
      # suppress MOTD
      PrintMotd = false;
      # disable X11 forwarding since it is not necessary
      X11Forwarding = false;
      ########## Authentication ##########
      AllowUsers = ["${user}"];
      # Use keys only. Remove if you want to SSH using password (not recommended)
      PasswordAuthentication = false;
      HostbasedAuthentication = false;
      # enable pubkey authentication
      PubkeyAuthentication = true;
      # Forbid root login through SSH.
      PermitRootLogin = "no";
      # nix enables pam by default
      #UsePam = true;
      ########## Cryptography ##########
      # explicitly define cryptography algorithms to avoid the use of weak algorithms
      # AES CTR modes have been removed to mitigate the Terrapin attack
      #   https://terrapin-attack.com/
      Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
      Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
      ########## Connection Preferences ##########
      # enforce SSH server to only use SSH protocol version 2
      # SSHv1 contains security issues and should be avoided at all costs
      # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
      #   specified anyways to ensure this configuration file's compatibility
      #   with older versions of OpenSSH server
      Protocol = 2;
      # number of client alive messages sent without client responding
      ClientAliveCountMax = 2;
      # send a keepalive message to the client when the session has been idle for 300 seconds
      # this prevents/detects connection timeouts
      ClientAliveInterval = 300;
      # compression before encryption might cause security issues
      Compression = false;
      # prevent SSH trust relationships from allowing lateral movements
      IgnoreRhosts = true;
      # log verbosely for addtional information
      LogLevel = "VERBOSE";
      # allow a maximum of two multiplexed sessions over a single TCP connection
      MaxSessions = 2;
    };
  };
 }
--- a/hosts/candlekeep/configuration.nix
+++ b/hosts/candlekeep/configuration.nix
@ -18,6 +18,7 @@
    #../../common/networking/zerotier.nix
    ../../common/nixos/bluetooth.nix
    ../../common/nixos/restic.nix
    ../../common/nixos/ssh.nix
    ../../common/gui/hyprland.nix
    ../../common/gui/thunar.nix
    ../../common/style/stylix.nix
@ -110,98 +111,6 @@
    };
  };
  # This setups a SSH server. Very important if you're setting up a headless system.
  # Feel free to remove if you don't need it.
  services.openssh = {
    enable = true;
    settings = {
      ########## Features ##########
      # disallow ssh-agent forwarding to prevent lateral movement
      AllowAgentForwarding = false;
      # prevent TCP ports from being forwarded over SSH tunnels
      # **please be aware that disabling TCP forwarding does not prevent port forwarding**
      # any user with an interactive login shell can spin up his/her own instance of sshd
      AllowTcpForwarding = false;
      # prevent StreamLocal (Unix-domain socket) forwarding
      AllowStreamLocalForwarding = false;
      # disables all forwarding features
      # overrides all other forwarding switches
      DisableForwarding = true;
      # disallow remote hosts from connecting to forwarded ports
      # i.e. forwarded ports are forced to bind to 127.0.0.1 instad of 0.0.0.0
      GatewayPorts = "no";
      # prevent tun device forwarding
      PermitTunnel = false;
      # suppress MOTD
      PrintMotd = false;
      # disable X11 forwarding since it is not necessary
      X11Forwarding = false;
      ########## Authentication ##########
      AllowUsers = ["${user}"];
      # Use keys only. Remove if you want to SSH using password (not recommended)
      PasswordAuthentication = false;
      HostbasedAuthentication = false;
      # enable pubkey authentication
      PubkeyAuthentication = true;
      # Forbid root login through SSH.
      PermitRootLogin = "no";
      # nix enables pam by default
      #UsePam = true;
      ########## Cryptography ##########
      # explicitly define cryptography algorithms to avoid the use of weak algorithms
      # AES CTR modes have been removed to mitigate the Terrapin attack
      #   https://terrapin-attack.com/
      Ciphers = ["aes256-gcm@openssh.com" "aes128-gcm@openssh.com"];
      Macs = ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com"];
      KexAlgorithms = ["curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512"];
      ########## Connection Preferences ##########
      # enforce SSH server to only use SSH protocol version 2
      # SSHv1 contains security issues and should be avoided at all costs
      # SSHv1 is disabled by default after OpenSSH 7.0, but this option is
      #   specified anyways to ensure this configuration file's compatibility
      #   with older versions of OpenSSH server
      Protocol = 2;
      # number of client alive messages sent without client responding
      ClientAliveCountMax = 2;
      # send a keepalive message to the client when the session has been idle for 300 seconds
      # this prevents/detects connection timeouts
      ClientAliveInterval = 300;
      # compression before encryption might cause security issues
      Compression = false;
      # prevent SSH trust relationships from allowing lateral movements
      IgnoreRhosts = true;
      # log verbosely for addtional information
      LogLevel = "VERBOSE";
      # allow a maximum of two multiplexed sessions over a single TCP connection
      MaxSessions = 2;
    };
  };
  environment = {
    loginShellInit = ''
      if [ -z $DISPLAY ] && [ "$(tty)" = "/dev/tty1" ]; then