Add SSH hardening

[dr460nf1r3]

An exemplary config you can probably just copy can be found here: https://github.com/dr460nf1r3/dr460nixed/blob/main/nixos/modules/hardening.nix#L126

This applies all suggestions from ssh-audit, as seen below:

❯ nix run nixpkgs#ssh-audit localhost
# general
(gen) banner: SSH-2.0-OpenSSH_9.8
(gen) software: OpenSSH 9.8
(gen) compatibility: OpenSSH 8.5+, Dropbear SSH 2020.79+
(gen) compression: enabled ([email protected])

# key exchange algorithms
(kex) curve25519-sha256                   -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
                                          `- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) [email protected]        -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
                                          `- [info] default key exchange from OpenSSH 6.5 to 7.3
(kex) diffie-hellman-group16-sha512       -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512       -- [info] available since OpenSSH 7.3
(kex) [email protected]  -- [info] available since OpenSSH 8.5
                                          `- [info] default key exchange since OpenSSH 9.0
(kex) ext-info-s                          -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
(kex) [email protected]        -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)

# host-key algorithms
(key) rsa-sha2-512 (4096-bit)             -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (4096-bit)             -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79
(key) ssh-ed25519                         -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79

# encryption algorithms (ciphers)
(enc) [email protected]              -- [info] available since OpenSSH 6.2
(enc) aes256-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr                          -- [info] available since OpenSSH 3.7
(enc) aes128-ctr                          -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) [email protected]              -- [info] available since OpenSSH 6.2

# message authentication code algorithms
(mac) [email protected]       -- [info] available since OpenSSH 6.2
(mac) [email protected]       -- [info] available since OpenSSH 6.2
(mac) [email protected]            -- [info] available since OpenSSH 6.2

# fingerprints
(fin) ssh-ed25519: SHA256:vmTnuUvJMm6tIoBBAfoREgjvZpBGZehcDU35qbe6C3M
(fin) ssh-rsa: SHA256:WO4Hwfvr+JSrcz5QE6chKb4XXFgPG+NrvSD/OUBu/cQ

# algorithm recommendations (for OpenSSH 9.8)
(rec) +diffie-hellman-group-exchange-sha256-- kex algorithm to append 

[cynicsketch]

Will be implemented eventually, note however that feature changes are on hold right now while I try to overhaul the module for maintainability purposes.

[dr460nf1r3]

Yes, I noticed that one already. It's also why I didn't add a PR and instead opened an issue 😄