Emma Thorpe
93571386bd
New system/modules/ssh.nix disables password and keyboard-interactive auth and root login, and installs the authorized key for the primary user. Imported by the two hosts that run sshd; each still enables the service and opens port 22 in its own config. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
20 lines
861 B
Nix
20 lines
861 B
Nix
# Key-only SSH hardening, imported by the hosts that run sshd (T400, Mac Pro).
|
|
# The host config still does `services.openssh.enable = true` and opens port 22
|
|
# next to where it documents the listening service; this module only tightens
|
|
# the policy and installs the authorized key, so a host opting into sshd cannot
|
|
# accidentally ship password/root login.
|
|
{ username, ... }:
|
|
{
|
|
services.openssh.settings = {
|
|
PasswordAuthentication = false; # keys only
|
|
KbdInteractiveAuthentication = false; # no keyboard-interactive fallback
|
|
PermitRootLogin = "no";
|
|
};
|
|
|
|
# The key permitted to log in as the primary user. Add more entries here as
|
|
# new client machines are provisioned.
|
|
users.users.${username}.openssh.authorizedKeys.keys = [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDxHvdMTOzpFWUFMtCP7C/4tIOUO3GIO2QPvaifSnWH lyrathorpe@Lyra-MBA"
|
|
];
|
|
}
|