From bcfdf962f3dd82969f9191280aab277ac37096bc Mon Sep 17 00:00:00 2001
From: Dan <dleink@gmail.com>
Date: Mon, 5 Jan 2026 17:09:07 -0800
Subject: [PATCH] Disable security modules pending fixes, patch ssh-hardening
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ssh-hardening.nix had fatal bugs:
- UsePAM=false breaks NixOS SSH auth
- Protocol=2 deprecated, crashes modern sshd
- AllowUsers defaulted to ["admin"], locks out all users

Partial fixes applied but module still unsafe to enable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 hosts/ops-jrz1.nix                 |  4 ++++
 modules/security/ssh-hardening.nix | 14 +++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/hosts/ops-jrz1.nix b/hosts/ops-jrz1.nix
index 0cd798a..bd3a66e 100644
--- a/hosts/ops-jrz1.nix
+++ b/hosts/ops-jrz1.nix
@@ -94,6 +94,10 @@
   # Local backup service (Phase 1: manual trigger)
   services.backup.enable = true;
 
+  # Security hardening - DISABLED pending fixes
+  # security.fail2ban-enhanced.enable = true;
+  # security.ssh-hardening.enable = true;
+
   # nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary)
   programs.nix-ld.enable = true;
   programs.nix-ld.libraries = with pkgs; [
diff --git a/modules/security/ssh-hardening.nix b/modules/security/ssh-hardening.nix
index f15c2f0..0a363e9 100644
--- a/modules/security/ssh-hardening.nix
+++ b/modules/security/ssh-hardening.nix
@@ -15,8 +15,8 @@ with lib;
 
     allowUsers = mkOption {
       type = types.listOf types.str;
-      default = [ "admin" ];
-      description = "Users allowed to SSH";
+      default = [ ];
+      description = "Users allowed to SSH (empty = allow all authenticated users)";
     };
 
     maxAuthTries = mkOption {
@@ -47,17 +47,17 @@ with lib;
 
         # Security settings
         PermitEmptyPasswords = false;
-        UsePAM = false;
+        # UsePAM must stay true - NixOS SSH auth requires PAM
         X11Forwarding = false;
         AllowAgentForwarding = config.security.ssh-hardening.level == "development";
         AllowTcpForwarding = config.security.ssh-hardening.level != "paranoid";
         GatewayPorts = "no";
 
-        # User restrictions
-        AllowUsers = config.security.ssh-hardening.allowUsers;
+        # User restrictions (only set if explicitly configured)
+        AllowUsers = mkIf (config.security.ssh-hardening.allowUsers != [])
+          config.security.ssh-hardening.allowUsers;
 
-        # Protocol settings
-        Protocol = 2;
+        # Logging
         LogLevel = if config.security.ssh-hardening.level == "paranoid" then "VERBOSE" else "INFO";
 
         # Timing settings