chore: harden ssh security

* KbdInteractiveAuthentication: disable keyboard interactive-auth, since
  we solely rely on the SSH key for connection.
* PermitEmptyPasswords: disable empty passwords for SSH connection, again,
  since we use SSH keys.
* Protocol: Explicitly set the SSH protocol to 2, even though it is the
  default value.
* MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try
  connection.
* ChallengeResponseAuthentication: We do not require a challenge-response
  setup.
* AllowTcpForwarding: Allows access to locally-running ports without having
  to expose them. Since all auth methods are disabled, we can enable this.

Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
Chinmay D. Pai 2024-10-05 20:53:47 +05:30
parent d4dc50237a
commit 12cf2f3701
Signed by: thunderbottom
GPG Key ID: 75507BE256F40CED

View File

@ -1,5 +1,8 @@
{ config, lib, ... }:
{
config,
lib,
...
}: {
options.snowflake.core.sshd = {
enable = lib.mkEnableOption "Enable core sshd configuration";
};
@ -11,6 +14,12 @@
# Disable password auth and root login.
PasswordAuthentication = false;
PermitRootLogin = "no";
KbdInteractiveAuthentication = false;
PermitEmptyPasswords = false;
Protocol = 2;
MaxAuthTries = 3;
ChallengeResponseAuthentication = false;
AllowTcpForwarding = "yes";
};
openFirewall = true;
};