chore: harden ssh security
* KbdInteractiveAuthentication: disable keyboard interactive-auth, since we solely rely on the SSH key for connection. * PermitEmptyPasswords: disable empty passwords for SSH connection, again, since we use SSH keys. * Protocol: Explicitly set the SSH protocol to 2, even though it is the default value. * MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try connection. * ChallengeResponseAuthentication: We do not require a challenge-response setup. * AllowTcpForwarding: Allows access to locally-running ports without having to expose them. Since all auth methods are disabled, we can enable this. Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
parent
d4dc50237a
commit
12cf2f3701
@ -1,5 +1,8 @@
|
|||||||
{ config, lib, ... }:
|
|
||||||
{
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
options.snowflake.core.sshd = {
|
options.snowflake.core.sshd = {
|
||||||
enable = lib.mkEnableOption "Enable core sshd configuration";
|
enable = lib.mkEnableOption "Enable core sshd configuration";
|
||||||
};
|
};
|
||||||
@ -11,6 +14,12 @@
|
|||||||
# Disable password auth and root login.
|
# Disable password auth and root login.
|
||||||
PasswordAuthentication = false;
|
PasswordAuthentication = false;
|
||||||
PermitRootLogin = "no";
|
PermitRootLogin = "no";
|
||||||
|
KbdInteractiveAuthentication = false;
|
||||||
|
PermitEmptyPasswords = false;
|
||||||
|
Protocol = 2;
|
||||||
|
MaxAuthTries = 3;
|
||||||
|
ChallengeResponseAuthentication = false;
|
||||||
|
AllowTcpForwarding = "yes";
|
||||||
};
|
};
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user