more sane ssh settings, see https://github.com/jtesta/ssh-audit

author: Christoph Cullmann <cullmann@kde.org> 2023-12-29 12:08:50 +0100
committer: Christoph Cullmann <cullmann@kde.org> 2023-12-29 12:08:50 +0100
commit: 83ca6290a283b500ff029b58b5d4aa40210f6abf (patch)
tree: 08bbf1533943b4ce8b9eef27a62e95e2403fcfeb
parent: 35b3ed0cbcf4ef4df7485f56ca49e2e911704363 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/common.nix b/common.nix
index 6e45b03..a698008 100644
--- a/common.nix
+++ b/common.nix
@@ -83,7 +83,12 @@ in
     hostKeys = [{
       path = "/nix/persistent/ssh_host_ed25519_key";
       type = "ed25519";
-    }];
+    }];;
+
+    # only safe ciphers & Co.
+    settings.Ciphers = [ "aes256-gcm@openssh.com" ];
+    settings.KexAlgorithms = [ "sntrup761x25519-sha512@openssh.com" ];
+    settings.Macs = [ "hmac-sha2-512-etm@openssh.com" ];
   };
 
   # guard the ssh service
author	Christoph Cullmann <cullmann@kde.org>	2023-12-29 12:08:50 +0100
committer	Christoph Cullmann <cullmann@kde.org>	2023-12-29 12:08:50 +0100
commit	83ca6290a283b500ff029b58b5d4aa40210f6abf (patch)
tree	08bbf1533943b4ce8b9eef27a62e95e2403fcfeb
parent	35b3ed0cbcf4ef4df7485f56ca49e2e911704363 (diff)