openssh: harden config

diff --git a/nixos/profiles/security.nix b/nixos/profiles/security.nix
index 4c2a383e0aba68a059928001da71975c5abb373e..34fe0c1d32e3988419d410cae034a5cd0f156301 100644 (file)
--- a/nixos/profiles/security.nix
+++ b/nixos/profiles/security.nix
@@ -156,8 +156,33 @@ with lib;
   };
   services.openssh = {
     openFirewall = lib.mkDefault false;
+    # Avoid TOFU MITM by providing well known public keys here.
+    knownHosts = {
+      "git.sr.ht".hostNames = [ "git.sr.ht" ];
+      "git.sr.ht".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60";
+
+      "github.com".hostNames = [ "github.com" ];
+      "github.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl";
+
+      "gitlab.com".hostNames = [ "gitlab.com" ];
+      "gitlab.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf";
+    };
+    openFirewall = mkDefault false;
     settings = {
+      KbdInteractiveAuthentication = lib.mkDefault false;
+      # Use key exchange algorithms recommended by `nixpkgs#ssh-audit`
+      KexAlgorithms = [
+        "curve25519-sha256"
+        "curve25519-sha256@libssh.org"
+        "diffie-hellman-group16-sha512"
+        "diffie-hellman-group18-sha512"
+        "sntrup761x25519-sha512@openssh.com"
+      ];
       PasswordAuthentication = false;
+      # Remove any remote gpg-agent's socket.
+      StreamLocalBindUnlink = true;
+      UseDns = lib.mkDefault false;
+      X11Forwarding = lib.mkDefault false;
     };
   };
 }