From 82655a38a7231c0bcad598caf06526538abd569e Mon Sep 17 00:00:00 2001
From: Tim Schubert <dadada@dadada.li>
Date: Mon, 1 Jul 2024 13:26:45 +0200
Subject: [PATCH] fix: mitigation for CVE-2024-6387

---
 nixos/modules/profiles/base.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nixos/modules/profiles/base.nix b/nixos/modules/profiles/base.nix
index 56e17cd..eaf55e5 100644
--- a/nixos/modules/profiles/base.nix
+++ b/nixos/modules/profiles/base.nix
@@ -49,5 +49,10 @@ in
   };
 
   programs.zsh.enable = mkDefault true;
+
+  # Mitigation for CVE-2024-6387
+  # Might be vulnerable to DOS, but better than RCE ...
+  # https://github.com/NixOS/nixpkgs/pull/323753#issuecomment-2199762128
+  services.openssh.settings.LoginGraceTime = 0;
 }