diff --git a/source/_posts/caddy-nixos-part-2.md b/source/_posts/caddy-nixos-part-2.md index 5d4e5c9..8539020 100644 --- a/source/_posts/caddy-nixos-part-2.md +++ b/source/_posts/caddy-nixos-part-2.md @@ -2,7 +2,7 @@ title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)" excerpt: "Part 2: Securing NixOS" date: 2020-03-04 -updated: 2022-12-03 +updated: 2024-07-25 tags: - server - linux @@ -163,7 +163,7 @@ $ google-authenticator ``` 1. Yes to time-based -2. Import the generated QR code or secret key to OTP app (recommends Aegis for Android) +2. Import the generated QR code or secret key to an OTP app or password manager. 3. Enter OTP 4. Backup scratch codes 5. Yes to saving the key to ~/.google_authenticator @@ -171,13 +171,34 @@ $ google-authenticator 7. No to increasing window 8. Yes to rate-limiting login attempts -Once the secret is generated, TOTP can be enabled using the following config. I configured it to require OTP when login and sudo, in addition to password. +Once the secret is generated, TOTP can be enabled using the following config. I configured it to require OTP as the second-factor authentication when login and ssh. There is no security benefit of enabling it on sudo because the secret key is stored in the home folder (`$HOME/.google_authenticator`) that the user can write to. ```nix - ## Requires OTP to login & sudo - security.pam = { - services.login.googleAuthenticator.enable = true; - services.sudo.googleAuthenticator.enable = true; + services.openssh = { + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + KbdInteractiveAuthentication = true; + # https://github.com/NixOS/nixpkgs/issues/115044#issuecomment-2244953944 + AuthenticationMethods = "publickey,keyboard-interactive:pam"; + }; + }; + + ## Requires OTP to login & ssh + security.pam.services = { + login.googleAuthenticator.enable = true; + # https://github.com/NixOS/nixpkgs/issues/115044#issuecomment-2065409087 + sshd.text = '' + account required pam_unix.so # unix (order 10900) + + auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500) + auth sufficient pam_permit.so + + session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100) + session required pam_unix.so # unix (order 10200) + session required pam_loginuid.so # loginuid (order 10300) + session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000) + ''; }; ```