From 12cf2f37018eefc76f3676832f9d8b2ca21ba40c Mon Sep 17 00:00:00 2001
From: "Chinmay D. Pai" <chinmaydpai@gmail.com>
Date: Sat, 5 Oct 2024 20:53:47 +0530
Subject: [PATCH] chore: harden ssh security

* KbdInteractiveAuthentication: disable keyboard interactive-auth, since
  we solely rely on the SSH key for connection.
* PermitEmptyPasswords: disable empty passwords for SSH connection, again,
  since we use SSH keys.
* Protocol: Explicitly set the SSH protocol to 2, even though it is the
  default value.
* MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try
  connection.
* ChallengeResponseAuthentication: We do not require a challenge-response
  setup.
* AllowTcpForwarding: Allows access to locally-running ports without having
  to expose them. Since all auth methods are disabled, we can enable this.

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
---
 modules/nixos/core/sshd/default.nix | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/nixos/core/sshd/default.nix b/modules/nixos/core/sshd/default.nix
index 420abca..7c1e33f 100644
--- a/modules/nixos/core/sshd/default.nix
+++ b/modules/nixos/core/sshd/default.nix
@@ -1,5 +1,8 @@
-{ config, lib, ... }:
 {
+  config,
+  lib,
+  ...
+}: {
   options.snowflake.core.sshd = {
     enable = lib.mkEnableOption "Enable core sshd configuration";
   };
@@ -11,6 +14,12 @@
         # Disable password auth and root login.
         PasswordAuthentication = false;
         PermitRootLogin = "no";
+        KbdInteractiveAuthentication = false;
+        PermitEmptyPasswords = false;
+        Protocol = 2;
+        MaxAuthTries = 3;
+        ChallengeResponseAuthentication = false;
+        AllowTcpForwarding = "yes";
       };
       openFirewall = true;
     };