From 89749d73a82bd0bfdfa225be06a6db8e82371ff4 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Mon, 20 Mar 2023 11:51:00 +0100 Subject: ... --- system-profiles/openssh/default.nix | 44 ++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 6 deletions(-) (limited to 'system-profiles/openssh') diff --git a/system-profiles/openssh/default.nix b/system-profiles/openssh/default.nix index cc4ecdf0..8f0bd11b 100644 --- a/system-profiles/openssh/default.nix +++ b/system-profiles/openssh/default.nix @@ -8,7 +8,7 @@ in { options = { services.openssh.staticHostKeys = mkOption { type = types.bool; - default = true; + default = pathExists (./host-keys + "/${hostName}.yaml"); }; }; @@ -18,13 +18,45 @@ in { services.openssh = mkIf cfg.enable { hostKeys = mkIf cfg.staticHostKeys (mkForce []); # done manually settings = { - Ciphers = [ "chacha20-poly1305@openssh.com" "aes256-gcm@openssh.com" "aes256-ctr" ]; - Macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-256" "hmac-sha2-512-etm@openssh.com" "hmac-sha2-512" ]; - KexAlgorithms = [ "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" ]; + Ciphers = [ + "chacha20-poly1305@openssh.com" + "aes256-gcm@openssh.com" + "aes256-ctr" + ]; + Macs = [ + "hmac-sha2-256-etm@openssh.com" + "hmac-sha2-256" + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-512" + ]; + KexAlgorithms = [ + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + "diffie-hellman-group-exchange-sha256" + ]; + HostKeyAlgorithms = concatStringsSep "," [ + "sk-ssh-ed25519-cert-v01@openssh.com" + "ssh-ed25519-cert-v01@openssh.com" + "rsa-sha2-256-cert-v01@openssh.com" + "rsa-sha2-512-cert-v01@openssh.com" + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + CASignatureAlgorithms = concatStringsSep "," [ + "sk-ssh-ed25519@openssh.com" + "ssh-ed25519" + "rsa-sha2-256" + "rsa-sha2-512" + ]; + LogLevel = "VERBOSE"; - HostKeyAlgorithms = "sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512"; - CASignatureAlgorithms = "sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-256,rsa-sha2-512"; RevokedKeys = "/etc/ssh/krl.bin"; + + PasswordAuthentication = mkDefault false; + KbdInteractiveAuthentication = mkDefault false; }; moduliFile = mkIf (config.sops.secrets ? "ssh_moduli") config.sops.secrets.ssh_moduli.path; extraConfig = '' -- cgit v1.2.3