diff options
author | aszlig <aszlig@nix.build> | 2018-04-21 00:20:05 +0200 |
---|---|---|
committer | aszlig <aszlig@nix.build> | 2018-04-21 00:20:05 +0200 |
commit | 84baec05e499d60b8a5e27cc1303b64b38705734 (patch) | |
tree | fe8537449ae201ebe7cafc759e09e3f0902eb806 /modules/user | |
parent | ef28f71b49a45425ac0bf24db5ecfb0897b1f98b (diff) |
profiles/base: Provide sane OpenSSH defaults
It's been ages since I needed to authenticate to SSHd via a password, so let's actually make sure we only use pubkey auth by default. If we need more than that we can still change the value to something else on a per- machine basis. Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'modules/user')
-rw-r--r-- | modules/user/aszlig/profiles/base.nix | 4 | ||||
-rw-r--r-- | modules/user/aszlig/profiles/workstation/default.nix | 5 |
2 files changed, 5 insertions, 4 deletions
diff --git a/modules/user/aszlig/profiles/base.nix b/modules/user/aszlig/profiles/base.nix index c6123e7d..e79e3c61 100644 --- a/modules/user/aszlig/profiles/base.nix +++ b/modules/user/aszlig/profiles/base.nix @@ -48,6 +48,10 @@ in { MaxRetentionSec=3month ''; + services.openssh.passwordAuthentication = false; + services.openssh.permitRootLogin = "no"; + services.openssh.challengeResponseAuthentication = false; + environment.systemPackages = with pkgs; [ binutils cacert diff --git a/modules/user/aszlig/profiles/workstation/default.nix b/modules/user/aszlig/profiles/workstation/default.nix index b39b847e..000378b2 100644 --- a/modules/user/aszlig/profiles/workstation/default.nix +++ b/modules/user/aszlig/profiles/workstation/default.nix @@ -113,10 +113,7 @@ in { vuizvui.programs.gnupg.agent.scdaemon.enable = true; services = { - openssh = { - enable = true; - permitRootLogin = "without-password"; - }; + openssh.enable = true; xfs.enable = false; |