From cd47e773ddfea15ca0ead1079549c9f58ffbf2ac Mon Sep 17 00:00:00 2001 From: Artemis Tosini Date: Tue, 30 Aug 2022 16:15:54 +0000 Subject: [PATCH] Harden SSH config --- home/ssh/default.nix | 5 +++-- sets/sshd.nix | 11 +++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/home/ssh/default.nix b/home/ssh/default.nix index 4159f59..c7e0611 100644 --- a/home/ssh/default.nix +++ b/home/ssh/default.nix @@ -11,9 +11,10 @@ # We have to do this as text to gaurantee it's part of the last Host * block userKnownHostsFile = "~/.ssh/known_hosts ${./extra_known_hosts}"; extraConfig = '' - KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com + KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr + HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com VerifyHostKeyDNS ask VisualHostKey yes UpdateHostKeys ask diff --git a/sets/sshd.nix b/sets/sshd.nix index b7e5f9c..24203f8 100644 --- a/sets/sshd.nix +++ b/sets/sshd.nix @@ -6,6 +6,17 @@ permitRootLogin = "no"; passwordAuthentication = false; kbdInteractiveAuthentication = false; + + kexAlgorithms = [ + "sntrup761x25519-sha512@openssh.com" + "curve25519-sha256" + "curve25519-sha256@libssh.org" + ]; + macs = [ + "hmac-sha2-512-etm@openssh.com" + "hmac-sha2-256-etm@openssh.com" + "umac-128-etm@openssh.com" + ]; }; # users.users.artemis.openssh.authorizedKeys.keys set in private }