chore: harden ssh security
* KbdInteractiveAuthentication: disable keyboard interactive-auth, since we solely rely on the SSH key for connection. * PermitEmptyPasswords: disable empty passwords for SSH connection, again, since we use SSH keys. * Protocol: Explicitly set the SSH protocol to 2, even though it is the default value. * MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try connection. * ChallengeResponseAuthentication: We do not require a challenge-response setup. * AllowTcpForwarding: Allows access to locally-running ports without having to expose them. Since all auth methods are disabled, we can enable this. Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
This commit is contained in:
parent
d4dc50237a
commit
12cf2f3701
@ -1,5 +1,8 @@
|
||||
{ config, lib, ... }:
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
options.snowflake.core.sshd = {
|
||||
enable = lib.mkEnableOption "Enable core sshd configuration";
|
||||
};
|
||||
@ -11,6 +14,12 @@
|
||||
# Disable password auth and root login.
|
||||
PasswordAuthentication = false;
|
||||
PermitRootLogin = "no";
|
||||
KbdInteractiveAuthentication = false;
|
||||
PermitEmptyPasswords = false;
|
||||
Protocol = 2;
|
||||
MaxAuthTries = 3;
|
||||
ChallengeResponseAuthentication = false;
|
||||
AllowTcpForwarding = "yes";
|
||||
};
|
||||
openFirewall = true;
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user