diff --git a/module/common/Sshd.nix b/module/common/Sshd.nix index 7a231af5..49440c85 100644 --- a/module/common/Sshd.nix +++ b/module/common/Sshd.nix @@ -2,6 +2,7 @@ users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGIf192IxsksM6u8UY+eqpHopebgV+NNq2G03ssdXIgz root@desktop" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJSWdbkYsRiDlKu8iT/k+JN4KY08iX9qh4VyqxlpEZcE root@home" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgiYKFkMfiGOZCZIk+O7LtaoF6A3cHEFCqaPwXOM4rR root@work" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIL2LI1iFDZC223aWqBVz9yusfB/XrRwsBKiL5warIF/ nix-on-droid@phone" ]; services.openssh = { @@ -14,12 +15,12 @@ port = 22143; } ]; - settings = { # TODO: Migrate from passwords. + settings = { AllowUsers = [ "root" ]; LoginGraceTime = "1m"; - MaxAuthTries = 4; + MaxAuthTries = 1; MaxSessions = 10; - PermitRootLogin = "yes"; # TODO: Make `prohibit-password`. + PermitRootLogin = "prohibit-password"; StrictModes = false; UseDns = false; @@ -27,9 +28,9 @@ GSSAPIAuthentication = false; HostbasedAuthentication = false; - KbdInteractiveAuthentication = true; + KbdInteractiveAuthentication = false; KerberosAuthentication = false; - PasswordAuthentication = true; + PasswordAuthentication = false; PermitEmptyPasswords = false; PubkeyAuthentication = true; };