dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Disable security modules pending fixes, patch ssh-hardening

Browse source 
ssh-hardening.nix had fatal bugs:
- UsePAM=false breaks NixOS SSH auth
- Protocol=2 deprecated, crashes modern sshd
- AllowUsers defaulted to ["admin"], locks out all users

Partial fixes applied but module still unsafe to enable.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Dan 2026-01-05 17:09:07 -08:00
parent a25abda825
commit bcfdf962f3
2 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
hosts/ops-jrz1.nix
View file

@ -94,6 +94,10 @@
# Local backup service (Phase 1: manual trigger) # Local backup service (Phase 1: manual trigger)
services.backup.enable = true; services.backup.enable = true;
# Security hardening - DISABLED pending fixes
# security.fail2ban-enhanced.enable = true;
# security.ssh-hardening.enable = true;
# nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary) # nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary)
programs.nix-ld.enable = true; programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [ programs.nix-ld.libraries = with pkgs; [

14
modules/security/ssh-hardening.nix
View file

@ -15,8 +15,8 @@ with lib;
allowUsers = mkOption { allowUsers = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [ "admin" ]; default = [ ];
description = "Users allowed to SSH"; description = "Users allowed to SSH (empty = allow all authenticated users)";
}; };
maxAuthTries = mkOption { maxAuthTries = mkOption {
@ -47,17 +47,17 @@ with lib;
# Security settings # Security settings
PermitEmptyPasswords = false; PermitEmptyPasswords = false;
UsePAM = false; # UsePAM must stay true - NixOS SSH auth requires PAM
X11Forwarding = false; X11Forwarding = false;
AllowAgentForwarding = config.security.ssh-hardening.level == "development"; AllowAgentForwarding = config.security.ssh-hardening.level == "development";
AllowTcpForwarding = config.security.ssh-hardening.level != "paranoid"; AllowTcpForwarding = config.security.ssh-hardening.level != "paranoid";
GatewayPorts = "no"; GatewayPorts = "no";
# User restrictions # User restrictions (only set if explicitly configured)
AllowUsers = config.security.ssh-hardening.allowUsers; AllowUsers = mkIf (config.security.ssh-hardening.allowUsers != [])
config.security.ssh-hardening.allowUsers;
# Protocol settings # Logging
Protocol = 2;
LogLevel = if config.security.ssh-hardening.level == "paranoid" then "VERBOSE" else "INFO"; LogLevel = if config.security.ssh-hardening.level == "paranoid" then "VERBOSE" else "INFO";
# Timing settings # Timing settings