Chinmay D. Pai
12cf2f3701
* KbdInteractiveAuthentication: disable keyboard interactive-auth, since we solely rely on the SSH key for connection. * PermitEmptyPasswords: disable empty passwords for SSH connection, again, since we use SSH keys. * Protocol: Explicitly set the SSH protocol to 2, even though it is the default value. * MaxAuthTries: Set auth tries to 3. This is to allow up to 3 keys to try connection. * ChallengeResponseAuthentication: We do not require a challenge-response setup. * AllowTcpForwarding: Allows access to locally-running ports without having to expose them. Since all auth methods are disabled, we can enable this. Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com>
32 lines
765 B
Nix
32 lines
765 B
Nix
{
|
|
config,
|
|
lib,
|
|
...
|
|
}: {
|
|
options.snowflake.core.sshd = {
|
|
enable = lib.mkEnableOption "Enable core sshd configuration";
|
|
};
|
|
|
|
config = lib.mkIf config.snowflake.core.sshd.enable {
|
|
services.openssh = {
|
|
enable = true;
|
|
settings = {
|
|
# Disable password auth and root login.
|
|
PasswordAuthentication = false;
|
|
PermitRootLogin = "no";
|
|
KbdInteractiveAuthentication = false;
|
|
PermitEmptyPasswords = false;
|
|
Protocol = 2;
|
|
MaxAuthTries = 3;
|
|
ChallengeResponseAuthentication = false;
|
|
AllowTcpForwarding = "yes";
|
|
};
|
|
openFirewall = true;
|
|
};
|
|
|
|
# Enable mosh for access over spotty networks.
|
|
programs.mosh.enable = true;
|
|
programs.ssh.startAgent = true;
|
|
};
|
|
}
|