From 9d5337012d97a7b941d491654bc31cbe8898e3d9 Mon Sep 17 00:00:00 2001
From: Daniel Langbein <daniel@systemli.org>
Date: Sun, 8 Dec 2024 09:50:19 +0100
Subject: [PATCH] ssh: disable KbdInteractiveAuthentication by only allowing
 PubkeyAuthentication

---
 modules/ssh-server.nix | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/modules/ssh-server.nix b/modules/ssh-server.nix
index c53ecd0..91aec7d 100644
--- a/modules/ssh-server.nix
+++ b/modules/ssh-server.nix
@@ -18,10 +18,22 @@
     # Enabling this is required for commands such as sftp and sshfs.
     allowSFTP = false;
 
-    settings = {
-      # Use authorized keys only.
-      PasswordAuthentication = false;
+    # Only authentication method should be public key.
+    #
+    # https://man.archlinux.org/man/core/openssh/sshd_config.5.en#AuthenticationMethods
+    # - We change the default of AuthenticationMethods from `any` to `publickey`.
+    # - Furthermore, we explicitly PubkeyAuthentication to its default value `yes`.
+    #
+    # https://nixos.wiki/wiki/SSH_public_key_authentication#SSH_server_config
+    # Alternatively we could use
+    #   settings.PasswordAuthentication = false;
+    #   settings.KbdInteractiveAuthentication = false;
+    extraConfig = ''
+      AuthenticationMethods publickey
+      PubkeyAuthentication yes
+    '';
 
+    settings = {
       #
       # https://infosec.mozilla.org/guidelines/openssh
       #