From 763447ec6ec40148b858c49a29e2a1c1cf3591b5 Mon Sep 17 00:00:00 2001
From: Zzy Wysm <zzy@zzywysm.com>
Date: Thu, 12 Oct 2023 15:27:32 -0400
Subject: [PATCH] openssh: enable more hardening options

openssh only enables position-independent executables at the moment.  Given its privileged access and attack surface, it should have more binary hardening options enabled.
---
 pkgs/tools/networking/openssh/common.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix
index 7d01deb36020c..812022704ac1d 100644
--- a/pkgs/tools/networking/openssh/common.nix
+++ b/pkgs/tools/networking/openssh/common.nix
@@ -95,7 +95,7 @@ stdenv.mkDerivation {
 
   enableParallelBuilding = true;
 
-  hardeningEnable = [ "pie" ];
+  hardeningEnable = [ "fortify" "stackprotector" "pie" "relro" "bindnow" ];
 
   doCheck = true;
   enableParallelChecking = false;