nixos-config/nixos-template-base
4
0
Fork 0
Code Issues 7 Pull Requests Releases Activity

renforcement serveur SSH en forcant les algos récents (selon mozilla)

Browse Source
This commit is contained in:
Jean-Pierre PRUNARET
2016-07-21 23:38:59 +02:00
parent 66252cb498
commit 20e8e8beaa
2 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
environment.nix
View File

@@ -22,6 +22,7 @@
gnupg # GPG gnupg # GPG
gpm # prise en charge de la souris en console gpm # prise en charge de la souris en console
htop # monitoring htop # monitoring
#libressl # librairie pour faire du TLS et les algorithmes de crypto par OpenBSD
ncdu # outil pour voir l'espace utilisé ncdu # outil pour voir l'espace utilisé
nmap # outil de scan de port réseau nmap # outil de scan de port réseau
mtr # outil de diagnostic réseau mtr # outil de diagnostic réseau

13
services.nix
View File

@@ -13,6 +13,19 @@
## OpenSSH daemon ## OpenSSH daemon
services.openssh = { services.openssh = {
enable = true; enable = true;
# https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
extraConfig = ''
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE
# Use kernel sandbox mechanisms where possible in unprivilegied processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox
'';
}; };
# Monitoring # Monitoring