Commit 8f346ca2e929

Vincent Demeester <vincent@sbr.pm>
2026-01-12 15:25:56
security(ssh): harden OpenSSH configuration across all hosts
- Disable password authentication (SSH keys only) - Restrict root login to SSH keys only - Disable keyboard-interactive and user environment auth - Restrict to strong key algorithms (Ed25519, ECDSA, RSA SHA-2) - Refactor kerkouane to inherit common config with VPN-only override
main
1 parent 9358262
Changed files (2)
systems
common
services
openssh.nix
kerkouane
extra.nix
systems/common/services/openssh.nix
@@ -4,12 +4,17 @@ _: {
       enable = true;
       openFirewall = true;
       settings = {
-        # FIXME: enable this
-        # PasswordAuthentication = false;
-        # PermitRootLogin = "no"
+        # Authentication
+        PasswordAuthentication = false;
+        PermitRootLogin = "without-password";
+        KbdInteractiveAuthentication = false;
+        PermitUserEnvironment = false;
       };
       extraConfig = ''
         StreamLocalBindUnlink yes
+
+        # Only allow strong key types (Ed25519, ECDSA for Yubikeys, RSA fallback)
+        PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256
       '';
     };
     sshguard.enable = true;
systems/kerkouane/extra.nix
@@ -101,6 +101,7 @@ in
 {
   imports = [
     ../common/services/prometheus-exporters-node.nix
+    ../common/services/openssh.nix
   ];
 
   # Age secrets
@@ -320,6 +321,7 @@ in
   # Disable TPM2 (VPS has no TPM hardware)
   security.tpm2.enable = lib.mkForce false;
 
+  # Override common SSH config to restrict to VPN network only
   services.openssh = {
     listenAddresses = [
       {
@@ -328,10 +330,6 @@ in
       }
     ];
     openFirewall = lib.mkForce false;
-    settings = {
-      PasswordAuthentication = false;
-      PermitRootLogin = "without-password";
-    };
   };
 
   services.wireguard.server = {