From 78aae0bda1053235c0fc43556dbd0b58fd4aea8b Mon Sep 17 00:00:00 2001 From: ene Date: Sat, 7 Jan 2023 21:06:45 +0100 Subject: Feat: Some security for ssh Yes, root login is in itself a bad thing, but reducing the attack surface somewhat should be a good first step to a bright future. --- configuration.nix | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'configuration.nix') diff --git a/configuration.nix b/configuration.nix index dd6b7a8..852a6ee 100644 --- a/configuration.nix +++ b/configuration.nix @@ -2,19 +2,25 @@ imports = [ ./hardware-configuration.nix ./packages.nix - ./networking.nix # generated at runtime by nixos-infect + ./networking.nix # network configuration that just works ]; boot.cleanTmpDir = true; zramSwap.enable = true; networking.hostName = "server1"; networking.domain = "vhack.eu"; - services.openssh.enable = true; + + # openssh config + services.openssh = { + enable = true; + passwordAuthentication = false; + extraConfig = "PrintMotd yes\n"; # this could be done with pam + }; users.users.root.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2mYuiOuIb13E3wJRYPHOFN/dR5ySFozG2I/18HBSRJ dt@DESKTOP-IDOHVE" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBFuTNNn71Rhfnop2cdz3r/RhWWlCePnSBOhTBbu2ME soispha" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG63gxw8JePmrC8Fni0pLV4TnPBhCPmSV9FYEdva+6s7 sils" ]; system.stateVersion = "22.11"; } +# vim: ts=2 -- cgit 1.4.1