openssh: support prohibit-password for permitRootLogin
See 1dc8d93ce6
I also made it the default.
This commit is contained in:
parent
98a8146428
commit
6891bb1c59
@ -102,8 +102,8 @@ in
|
||||
};
|
||||
|
||||
permitRootLogin = mkOption {
|
||||
default = "without-password";
|
||||
type = types.enum ["yes" "without-password" "forced-commands-only" "no"];
|
||||
default = "prohibit-password";
|
||||
type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];
|
||||
description = ''
|
||||
Whether the root user can login using ssh.
|
||||
'';
|
||||
|
@ -138,7 +138,7 @@ let cfg = config.ec2; in
|
||||
# Allow root logins only using the SSH key that the user specified
|
||||
# at instance creation time.
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "without-password";
|
||||
services.openssh.permitRootLogin = "prohibit-password";
|
||||
|
||||
# Force getting the hostname from EC2.
|
||||
networking.hostName = mkDefault "";
|
||||
|
@ -24,7 +24,7 @@ with lib;
|
||||
# Allow root logins only using the SSH key that the user specified
|
||||
# at instance creation time, ping client connections to avoid timeouts
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "without-password";
|
||||
services.openssh.permitRootLogin = "prohibit-password";
|
||||
services.openssh.extraConfig = ''
|
||||
ClientAliveInterval 180
|
||||
'';
|
||||
|
@ -103,7 +103,7 @@ in
|
||||
# Allow root logins only using the SSH key that the user specified
|
||||
# at instance creation time.
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "without-password";
|
||||
services.openssh.permitRootLogin = "prohibit-password";
|
||||
|
||||
# Force getting the hostname from Google Compute.
|
||||
networking.hostName = mkDefault "";
|
||||
|
@ -111,7 +111,7 @@ in
|
||||
# Allow root logins only using the SSH key that the user specified
|
||||
# at instance creation time.
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "without-password";
|
||||
services.openssh.permitRootLogin = "prohibit-password";
|
||||
services.openssh.passwordAuthentication = mkDefault false;
|
||||
|
||||
# Force getting the hostname from Google Compute.
|
||||
|
@ -31,7 +31,7 @@ with lib;
|
||||
|
||||
# Allow root logins
|
||||
services.openssh.enable = true;
|
||||
services.openssh.permitRootLogin = "without-password";
|
||||
services.openssh.permitRootLogin = "prohibit-password";
|
||||
|
||||
# Put /tmp and /var on /ephemeral0, which has a lot more space.
|
||||
# Unfortunately we can't do this with the `fileSystems' option
|
||||
|
Loading…
Reference in New Issue
Block a user