SSH (Secure Shell) is a protocol for securely accessing remote machines over an unsecured network. It is commonly used for remote administration, file transfers, and secure tunneling.

This page covers the setup and management of SSH on NixOS systems. NixOS primarily uses OpenSSH for both server and client functionality.

For more manual-level information, refer to the NixOS Manual: Chapter - Secure Shell Access.

🛡︎︎

Security information: Changing SSH configuration settings can significantly impact the security of your system(s). It is crucial to have a solid understanding of what you are doing before making any adjustments.

Avoid blindly copying and pasting examples, including those from this Wiki page, without conducting a thorough analysis. Failure to do so may compromise the security of your system(s) and lead to potential vulnerabilities. Take the time to comprehend the implications of your actions and ensure that any changes made are done thoughtfully and with care.

OpenSSH Server

To enable a SSH service, add the following to your system configuration:

❄︎ /etc/nixos/configuration.nix

  services.openssh = {
    enable = true;
  };

By default, the server listens on port 22 and allows password authentication. Note that the port defined in the openssh config is opened automatically in the firewall.

For more SSH server configuration options, refer to the services.openssh module options.

Security hardening

To improve the security of your SSH server, it is recommended to apply the following measures:

Disable password-based login

Disable root login

Restrict allowed users

Change the default port

These options can be configured declaratively in your system configuration:

❄︎ /etc/nixos/configuration.nix

  services.openssh = {
    enable = true;
    Ports = [ 5432 ];
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitRootLogin = "no";
      AllowUsers = [ "myUser" ]
    };
  };

In addition to these settings, consider enabling Fail2Ban as a recommended baseline for security.

SSH client configuration

The OpenSSH client is available by default on NixOS and can be configured using the programs.ssh module options.

❄︎ /etc/nixos/configuration.nix

  programs.ssh = {
    extraConfig = "
      Host myhost
        Hostname 192.168.1.123
        Port 22
        User user
    ";
  };

This allows you to connect using:

$ ssh myhost

Note: Since this is a system-wide configuration, you cannot specify a user-specific identity file here due to file permission constraints.

For per-user SSH configuration, consider using Home Manager with the programs.ssh options, which allow for more flexible, user-level SSH client settings.

Alternatively, you can manually manage SSH client configuration by placing entries in the user-specific ~/.ssh/config file.

SSH public key authentication

For details on configuring public key authentication, managing SSH keys, and setting up SSH agents, see the dedicated page: SSH public key authentication.

Tips and tricks

Fail2Ban

Main article: Fail2ban

Fail2Ban is a service that bans hosts that cause multiple authentication errors.

To enable Fail2Ban, add the following to your system configuration:

❄︎ /etc/nixos/configuration.nix

  services.fail2ban.enable = true;

Endlessh

Endlessh is a SSH tarpit that slows down malicious or automated SSH connection attempts by indefinitely delaying connections.

To enable Endlessh, add the following to your system configuration:

❄︎ /etc/nixos/configuration.nix

  services.endlessh = {
    enable = true;
    port = 22;
    openFirewall = true;
  };

For additional configuration options, see theservices.endlessh module documentation.