Jump to content

SSH: Difference between revisions

From Official NixOS Wiki
← Older editNewer edit →
Onny (talk | contribs)
353 edits
VisualWikitext
Woile (talk | contribs)
26 edits
m update styling
Onny (talk | contribs)
353 edits
Simplify and cleanup page
Line 10: Line 10:
Take the time to comprehend the implications of your actions and ensure that any changes made are done thoughtfully and with care.}}
Take the time to comprehend the implications of your actions and ensure that any changes made are done thoughtfully and with care.}}


= OpenSSH Server =
== Server ==


=== Setup ===
To enable a SSH service, add the following to your system configuration:  
To enable a SSH service, add the following to your system configuration:  


Line 18: Line 19:
   services.openssh = {
   services.openssh = {
     enable = true;
     enable = true;
  };
     openFirewall = true;
</nowiki>
}}
 
By default, the server listens on port 22 and allows password authentication. Note that the port defined in the <code>openssh</code> config is opened automatically in the [[Firewall|firewall]].
 
For more SSH server configuration options, refer to the {{nixos:option|services.openssh}} module options.
 
== Security hardening ==
 
To improve the security of your SSH server, it is recommended to apply the following measures:
 
* Disable password-based login
 
* Disable root login
 
* Restrict allowed users
 
* Change the default port
 
These options can be configured declaratively in your system configuration:
 
{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
  services.openssh = {
     enable = true;
    ports = [ 5432 ];
     settings = {
     settings = {
       PasswordAuthentication = false;
       PasswordAuthentication = false;
Line 50: Line 25:
       PermitRootLogin = "no";
       PermitRootLogin = "no";
       AllowUsers = [ "myUser" ];
       AllowUsers = [ "myUser" ];
      MaxAuthTries = 3;
      PerSourcePenalties = "crash:3600s authfail:3600s max:86400s";
     };
     };
   };
   };
Line 55: Line 32:
|name=/etc/nixos/configuration.nix|lang=nix}}
|name=/etc/nixos/configuration.nix|lang=nix}}


In addition to these settings, consider enabling [[#Fail2Ban|Fail2Ban]] as a recommended baseline for security. Alternatively, you can make use of '''PerSourcePenalties''' introduced with OpenSSH 9.8<ref>https://text.tchncs.de/senioradmin/are-you-still-banning-or-do-you-already-penalize</ref>:
The example restricts authentication only to the user defined in <code>settings.AllowUsers</code> by using [[SSH public key authentication|public key authentication]]. By default, the server listens on port 22. For further security, the default listenig port should be changed using the <code>ports</code> option.


{{file|/etc/nixos/configuration.nix|nix|
For more SSH server configuration options, refer to the {{nixos:option|services.openssh}} module options.
<nowiki>
  services.openssh = {
    [...]
    extraConfig = "MaxAuthTries 3 \n PerSourcePenalties crash:3600s authfail:3600s max:86400s";
  };
</nowiki>
|name=/etc/nixos/configuration.nix|lang=nix}}


= SSH client configuration =
== Cliet ==


=== Configuration ===
The OpenSSH client is available by default on NixOS and can be configured using the {{nixos:option|programs.ssh}} module options.
The OpenSSH client is available by default on NixOS and can be configured using the {{nixos:option|programs.ssh}} module options.


Line 94: Line 65:


Alternatively, you can manually manage SSH client configuration by placing entries in the user-specific <code>~/.ssh/config</code> file.
Alternatively, you can manually manage SSH client configuration by placing entries in the user-specific <code>~/.ssh/config</code> file.
= SSH public key authentication =
For details on configuring public key authentication, managing SSH keys, and setting up SSH agents, see the dedicated page: [[SSH public key authentication]].
= Tips and tricks =
== Fail2Ban ==
{{main|Fail2ban}}
[http://www.fail2ban.org/ Fail2Ban] is a service that bans hosts that cause multiple authentication errors.
To enable Fail2Ban, add the following to your system configuration:
{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
  services.fail2ban.enable = true;
</nowiki>
}}
== Endlessh ==
[https://github.com/skeeto/endlessh Endlessh] is a SSH tarpit that slows down malicious or automated SSH connection attempts by indefinitely delaying connections.
To enable Endlessh, add the following to your system configuration:
{{file|/etc/nixos/configuration.nix|nix|
<nowiki>
  services.endlessh = {
    enable = true;
    port = 22;
    openFirewall = true;
  };
</nowiki>
}}
For additional configuration options, see the{{nixos:option|services.endlessh}} module documentation.
= See also =
* [[SSH public key authentication]]
* [[Fail2ban]]


[[Category:Networking]]
[[Category:Networking]]
[[Category:Server]]
[[Category:Server]]

Revision as of 06:41, 31 May 2026

SSH (Secure Shell) is a protocol for securely accessing remote machines over an unsecured network. It is commonly used for remote administration, file transfers, and secure tunneling.

This page covers the setup and management of SSH on NixOS systems. NixOS primarily uses OpenSSH for both server and client functionality.

For more manual-level information, refer to the NixOS Manual: Chapter - Secure Shell Access.

🛡︎︎
Security information: Changing SSH configuration settings can significantly impact the security of your system(s). It is crucial to have a solid understanding of what you are doing before making any adjustments.

Avoid blindly copying and pasting examples, including those from this Wiki page, without conducting a thorough analysis. Failure to do so may compromise the security of your system(s) and lead to potential vulnerabilities. Take the time to comprehend the implications of your actions and ensure that any changes made are done thoughtfully and with care.

Server

Setup

To enable a SSH service, add the following to your system configuration:

❄︎ /etc/nixos/configuration.nix
  services.openssh = {
    enable = true;
    openFirewall = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "no";
      AllowUsers = [ "myUser" ];
      MaxAuthTries = 3;
      PerSourcePenalties = "crash:3600s authfail:3600s max:86400s";
    };
  };

The example restricts authentication only to the user defined in settings.AllowUsers by using public key authentication. By default, the server listens on port 22. For further security, the default listenig port should be changed using the ports option.

For more SSH server configuration options, refer to the services.openssh module options.

Cliet

Configuration

The OpenSSH client is available by default on NixOS and can be configured using the programs.ssh module options.

❄︎ /etc/nixos/configuration.nix
  programs.ssh = {
    extraConfig = "
      Host myhost
        Hostname 192.168.1.123
        Port 22
        User user
    ";
  };

This allows you to connect using: 

$ ssh myhost
Note: Since this is a system-wide configuration, you cannot specify a user-specific identity file here due to file permission constraints.

For per-user SSH configuration, consider using Home Manager with the programs.ssh options, which allow for more flexible, user-level SSH client settings.

Alternatively, you can manually manage SSH client configuration by placing entries in the user-specific ~/.ssh/config file.

Retrieved from "https://wiki.nixos.org/w/index.php?title=SSH&oldid=32263"