ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ooknet/modules/nixos/base/openssh.nix

82 lines
2.2 KiB
Nix
Raw Blame History

{
services.openssh = {
enable = true;
startWhenNeeded = true;
ports = [22];
settings = {
UseDns = true;
PubkeyAuthentication = "yes";
PermitRootLogin = "no";
PermitEmptyPasswords = "no";
PasswordAuthentication = false;
# disable support for .rhost files
IgnoreRhosts = "yes";
# by default openssh uses port 22
# restict key exchange, cipher, and MAC algorithms, as per <https://www.ssh-audit.com>
KexAlgorithms = [
"sntrup761x25519-sha512@openssh.com"
"curve25519-sha256"
"curve25519-sha256@libssh.org"
"diffie-hellman-group18-sha512"
"diffie-hellman-group-exchange-sha256"
"diffie-hellman-group16-sha512"
];
Ciphers = [
"chacha20-poly1305@openssh.com"
"aes256-gcm@openssh.com"
"aes256-ctr"
"aes192-ctr"
"aes128-gcm@openssh.com"
"aes128-ctr"
];
Macs = [
"hmac-sha2-512-etm@openssh.com"
"hmac-sha2-256-etm@openssh.com"
"umac-128-etm@openssh.com"
];
/*
HostKeyAlgorithms = [
"sk-ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com,ssh-ed25519"
"ssh-ed25519"
"rsa-sha2-512"
"rsa-sha2-256"
];
CASignatureAlgorithms = [
"sk-ssh-ed25519@openssh.com"
"ssh-ed25519"
"rsa-sha2-512"
"rsa-sha2-256"
];
GSSAPIKexAlgorithms = [
"gss-curve25519-sha256-"
"gss-group16-sha512"
];
HostbasedAcceptedAlgorithms = [
"sk-ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512-cert-v01@openssh.com"
"rsa-sha2-256-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"ssh-ed25519,rsa-sha2-512"
"rsa-sha2-256"
];
PubkeyAcceptedAlgorithms = [
"sk-ssh-ed25519-cert-v01@openssh.com"
"ssh-ed25519-cert-v01@openssh.com"
"rsa-sha2-512-cert-v01@openssh.com"
"rsa-sha2-256-cert-v01@openssh.com"
"sk-ssh-ed25519@openssh.com"
"ssh-ed25519"
"rsa-sha2-512"
"rsa-sha2-256"
];
*/
};
};
}
Reference in a new issue View git blame Copy permalink