more sane ssh settings, see https://github.com/jtesta/ssh-audit

2023-12-29 12:08:50 +01:00 · 2023-12-29 12:08:50 +01:00 · 83ca6290a2
parent 35b3ed0cbc
commit 83ca6290a2
1 changed files with 6 additions and 1 deletions
--- a/common.nix
+++ b/common.nix
@ -83,7 +83,12 @@ in
    hostKeys = [{
      path = "/nix/persistent/ssh_host_ed25519_key";
      type = "ed25519";
-    }];
+    }];;
+
+    # only safe ciphers & Co.
+    settings.Ciphers = [ "aes256-gcm@openssh.com" ];
+    settings.KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" ];
+    settings.Macs = [ "hmac-sha2-512-etm@openssh.com" ];
  };

  # guard the ssh service