Disable security modules pending fixes, patch ssh-hardening

ssh-hardening.nix had fatal bugs: - UsePAM=false breaks NixOS SSH auth - Protocol=2 deprecated, crashes modern sshd - AllowUsers defaulted to ["admin"], locks out all users Partial fixes applied but module still unsafe to enable. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-05 17:09:07 -08:00 · 2026-01-05 17:09:07 -08:00 · bcfdf962f3
parent a25abda825
commit bcfdf962f3
2 changed files with 11 additions and 7 deletions
--- a/hosts/ops-jrz1.nix
+++ b/hosts/ops-jrz1.nix
@ -94,6 +94,10 @@
  # Local backup service (Phase 1: manual trigger)
  services.backup.enable = true;

+  # Security hardening - DISABLED pending fixes
+  # security.fail2ban-enhanced.enable = true;
+  # security.ssh-hardening.enable = true;
+
  # nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary)
  programs.nix-ld.enable = true;
  programs.nix-ld.libraries = with pkgs; [
--- a/modules/security/ssh-hardening.nix
+++ b/modules/security/ssh-hardening.nix
@ -15,8 +15,8 @@ with lib;

    allowUsers = mkOption {
      type = types.listOf types.str;
-      default = [ "admin" ];
-      description = "Users allowed to SSH";
+      default = [ ];
+      description = "Users allowed to SSH (empty = allow all authenticated users)";
    };

    maxAuthTries = mkOption {
@ -47,17 +47,17 @@ with lib;

        # Security settings
        PermitEmptyPasswords = false;
-        UsePAM = false;
+        # UsePAM must stay true - NixOS SSH auth requires PAM
        X11Forwarding = false;
        AllowAgentForwarding = config.security.ssh-hardening.level == "development";
        AllowTcpForwarding = config.security.ssh-hardening.level != "paranoid";
        GatewayPorts = "no";

-        # User restrictions
-        AllowUsers = config.security.ssh-hardening.allowUsers;
+        # User restrictions (only set if explicitly configured)
+        AllowUsers = mkIf (config.security.ssh-hardening.allowUsers != [])
+          config.security.ssh-hardening.allowUsers;

-        # Protocol settings
-        Protocol = 2;
+        # Logging
        LogLevel = if config.security.ssh-hardening.level == "paranoid" then "VERBOSE" else "INFO";

        # Timing settings