diff options
author | jeaye <contact@jeaye.com> | 2017-11-16 20:19:42 -0800 |
---|---|---|
committer | jeaye <contact@jeaye.com> | 2017-11-16 20:25:37 -0800 |
commit | 2a8bd9e2a11a8e69448682d8f8289ea021246354 (patch) | |
tree | 68101f6a3e023874b2b35bbc4ac51b117093c751 /nixos/modules/services/networking/ssh | |
parent | ec80c928255b3886aa2268398ccbbe4279004cff (diff) | |
download | nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.tar nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.tar.gz nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.tar.bz2 nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.tar.lz nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.tar.xz nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.tar.zst nixpkgs-2a8bd9e2a11a8e69448682d8f8289ea021246354.zip |
nixos/ssh: Harden config defaults
Diffstat (limited to 'nixos/modules/services/networking/ssh')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index a249f014217..6c4dcfeda06 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -358,6 +358,21 @@ in HostKey ${k.path} '')} + ### Recommended settings from both: + # https://stribika.github.io/2015/01/04/secure-secure-shell.html + # and + # https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29 + + KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + + # LogLevel VERBOSE logs user's key fingerprint on login. + # Needed to have a clear audit track of which key was used to log in. + LogLevel VERBOSE + + # Use kernel sandbox mechanisms where possible in unprivileged processes. + UsePrivilegeSeparation sandbox ''; assertions = [{ assertion = if cfg.forwardX11 then cfgc.setXAuthLocation else true; |