profiles/base: Provide sane OpenSSH defaults

It's been ages since I needed to authenticate to SSHd via a password, so let's actually make sure we only use pubkey auth by default. If we need more than that we can still change the value to something else on a per- machine basis. Signed-off-by: aszlig <aszlig@nix.build>
author: aszlig <aszlig@nix.build> 2018-04-21 00:20:05 +0200
committer: aszlig <aszlig@nix.build> 2018-04-21 00:20:05 +0200
commit: 84baec05e499d60b8a5e27cc1303b64b38705734 (patch)
tree: fe8537449ae201ebe7cafc759e09e3f0902eb806 /modules
parent: ef28f71b49a45425ac0bf24db5ecfb0897b1f98b (diff)
2 files changed, 5 insertions, 4 deletions
diff --git a/modules/user/aszlig/profiles/base.nix b/modules/user/aszlig/profiles/base.nix
index c6123e7d..e79e3c61 100644
--- a/modules/user/aszlig/profiles/base.nix
+++ b/modules/user/aszlig/profiles/base.nix
@@ -48,6 +48,10 @@ in {
       MaxRetentionSec=3month
     '';
 
+    services.openssh.passwordAuthentication = false;
+    services.openssh.permitRootLogin = "no";
+    services.openssh.challengeResponseAuthentication = false;
+
     environment.systemPackages = with pkgs; [
       binutils
       cacert
diff --git a/modules/user/aszlig/profiles/workstation/default.nix b/modules/user/aszlig/profiles/workstation/default.nix
index b39b847e..000378b2 100644
--- a/modules/user/aszlig/profiles/workstation/default.nix
+++ b/modules/user/aszlig/profiles/workstation/default.nix
@@ -113,10 +113,7 @@ in {
     vuizvui.programs.gnupg.agent.scdaemon.enable = true;
 
     services = {
-      openssh = {
-        enable = true;
-        permitRootLogin = "without-password";
-      };
+      openssh.enable = true;
 
       xfs.enable = false;
author	aszlig <aszlig@nix.build>	2018-04-21 00:20:05 +0200
committer	aszlig <aszlig@nix.build>	2018-04-21 00:20:05 +0200
commit	84baec05e499d60b8a5e27cc1303b64b38705734 (patch)
tree	fe8537449ae201ebe7cafc759e09e3f0902eb806 /modules
parent	ef28f71b49a45425ac0bf24db5ecfb0897b1f98b (diff)