openssh: support prohibit-password for permitRootLogin

See 1dc8d93ce6

I also made it the default.
This commit is contained in:
Anmol Sethi 2016-10-01 13:23:56 -04:00
parent 98a8146428
commit 6891bb1c59
No known key found for this signature in database
GPG Key ID: 427400A70839B0ED
6 changed files with 7 additions and 7 deletions

View File

@ -102,8 +102,8 @@ in
};
permitRootLogin = mkOption {
default = "without-password";
type = types.enum ["yes" "without-password" "forced-commands-only" "no"];
default = "prohibit-password";
type = types.enum ["yes" "without-password" "prohibit-password" "forced-commands-only" "no"];
description = ''
Whether the root user can login using ssh.
'';

View File

@ -138,7 +138,7 @@ let cfg = config.ec2; in
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
services.openssh.enable = true;
services.openssh.permitRootLogin = "without-password";
services.openssh.permitRootLogin = "prohibit-password";
# Force getting the hostname from EC2.
networking.hostName = mkDefault "";

View File

@ -24,7 +24,7 @@ with lib;
# Allow root logins only using the SSH key that the user specified
# at instance creation time, ping client connections to avoid timeouts
services.openssh.enable = true;
services.openssh.permitRootLogin = "without-password";
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.extraConfig = ''
ClientAliveInterval 180
'';

View File

@ -103,7 +103,7 @@ in
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
services.openssh.enable = true;
services.openssh.permitRootLogin = "without-password";
services.openssh.permitRootLogin = "prohibit-password";
# Force getting the hostname from Google Compute.
networking.hostName = mkDefault "";

View File

@ -111,7 +111,7 @@ in
# Allow root logins only using the SSH key that the user specified
# at instance creation time.
services.openssh.enable = true;
services.openssh.permitRootLogin = "without-password";
services.openssh.permitRootLogin = "prohibit-password";
services.openssh.passwordAuthentication = mkDefault false;
# Force getting the hostname from Google Compute.

View File

@ -31,7 +31,7 @@ with lib;
# Allow root logins
services.openssh.enable = true;
services.openssh.permitRootLogin = "without-password";
services.openssh.permitRootLogin = "prohibit-password";
# Put /tmp and /var on /ephemeral0, which has a lot more space.
# Unfortunately we can't do this with the `fileSystems' option