From 89749d73a82bd0bfdfa225be06a6db8e82371ff4 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 11:51:00 +0100 Subject: ... --- hosts/eostre/default.nix | 11 ++++++++- hosts/sif/default.nix | 8 ++++++- hosts/surtr/default.nix | 2 -- hosts/vidhar/default.nix | 4 ---- system-profiles/initrd-ssh/module.nix | 2 +- system-profiles/openssh/default.nix | 44 ++++++++++++++++++++++++++++++----- 6 files changed, 56 insertions(+), 15 deletions(-) diff --git a/hosts/eostre/default.nix b/hosts/eostre/default.nix index 01dee9ae..2752d136 100644 --- a/hosts/eostre/default.nix +++ b/hosts/eostre/default.nix @@ -4,7 +4,7 @@ with lib; { imports = with flake.nixosModules.systemProfiles; [ - default-locale nfsroot + default-locale nfsroot openssh ]; config = { @@ -96,5 +96,14 @@ with lib; videoDrivers = [ "nvidia" ]; }; + + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = true; + KbdInteractiveAuthentication = true; + }; + }; }; } diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 4c405436..ca2f183b 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -298,7 +298,13 @@ in { after = ["dnsmasq.service" "sys-subsystem-net-devices-virbr0.device"]; }; - services.openssh.enable = true; + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = true; + KbdInteractiveAuthentication = true; + }; + }; powerManagement = { enable = true; diff --git a/hosts/surtr/default.nix b/hosts/surtr/default.nix index 75dd9847..6925445b 100644 --- a/hosts/surtr/default.nix +++ b/hosts/surtr/default.nix @@ -135,8 +135,6 @@ with lib; services.openssh = { enable = true; - passwordAuthentication = false; - kbdInteractiveAuthentication = false; extraConfig = '' AllowGroups ssh ''; diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index d064e3da..b0277c14 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -82,10 +82,6 @@ with lib; services.openssh = { enable = true; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; extraConfig = '' AllowGroups ssh ''; diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix index 18a50cbf..2e75a8c4 100644 --- a/system-profiles/initrd-ssh/module.nix +++ b/system-profiles/initrd-ssh/module.nix @@ -116,7 +116,7 @@ in Port ${toString cfg.port} PasswordAuthentication no - ChallengeResponseAuthentication no + KbdInteractiveAuthentication no ${flip concatMapStrings cfg.hostKeys (path: '' HostKey ${initrdKeyPath path} diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index cc4ecdf0..8f0bd11b 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -8,7 +8,7 @@ in { options = { services.openssh.staticHostKeys = mkOption { type = types.bool; - default = true; + default = pathExists (./host-keys + "/${hostName}.yaml"); }; }; @@ -18,13 +18,45 @@ in { services.openssh = mkIf cfg.enable { hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually settings = { - Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; - Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; - KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes256-ctr" + ]; + Macs = [ + "hmac-sha2-256-etm@openssh.com" + "hmac-sha2-256" + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-512" + ]; + KexAlgorithms = [ + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + HostKeyAlgorithms = concatStringsSep "," [ + "sk-ssh-ed25519-cert-v01@openssh.com" + "ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + CASignatureAlgorithms = concatStringsSep "," [ + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + LogLevel = "VERBOSE"; - HostKeyAlgorithms = "sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512"; - CASignatureAlgorithms = "sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512"; RevokedKeys = "/etc/ssh/krl.bin"; + + PasswordAuthentication = mkDefault false; + KbdInteractiveAuthentication = mkDefault false; }; moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; extraConfig = '' -- cgit v1.2.3