Difference between revisions of "SSH"

Revision as of 09:53, 24 April 2025

SSH (Secure Shell) is a protocol for securely accessing and managing a remote computer over an insecure network.

Configuration

Warning: Changing SSH configuration settings can significantly impact the security of your system(s). It is crucial to have a solid understanding of what you are doing before making any adjustments.

Avoid blindly copying and pasting examples, including those from this Wiki page, without conducting a thorough analysis. Failure to do so may compromise the security of your system(s) and lead to potential vulnerabilities.

Take the time to comprehend the implications of your actions and ensure that any changes made are done thoughtfully and with care.

Warning: If you plan on using SSH on a public network, Fail2ban is highly recommended as a base standard of security.

In your /etc/nix/configuration.nix add services.openssh. Only the enable option is required.

services.openssh = {
  enable = true;
  ports = [ 22 ];
  settings = {
    PasswordAuthentication = true;
    AllowUsers = null; # Allows all users by default. Can be [ "user1" "user2" ]
    UseDns = true;
    X11Forwarding = false;
    PermitRootLogin = "prohibit-password"; # "yes", "without-password", "prohibit-password", "forced-commands-only", "no"
  };
};

You may have to open a port in the firewall:

networking.firewall.allowedTCPPorts

The complete list of options can be found here.

Tips

To include SSH server without autostarting it, its required to override the systemd service like so

systemd.services.sshd.wantedBy = lib.mkForce [ ];

@@ Line 36: / Line 36: @@
 The complete list of options [https://search.nixos.org/options?show=services.openssh can be found here].
+=== Tips ===
+To include SSH server without autostarting it, its required to override the systemd service like so
+<syntaxhighlight lang="nix">
+systemd.services.sshd.wantedBy = lib.mkForce [ ];
+</syntaxhighlight>