V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m47s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -1,100 +0,0 @@
|
||||
#!/bin/bash
|
||||
# SPDX-Version: 3.0
|
||||
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
||||
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
|
||||
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
|
||||
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
|
||||
# SPDX-FileType: SOURCE
|
||||
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
|
||||
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
|
||||
# SPDX-PackageName: CISS.2025.hardened.installer
|
||||
# SPDX-Security-Contact: security@coresecret.eu
|
||||
|
||||
###########################################################################################
|
||||
# 3.8.2. Functions - installation - setup ssh #
|
||||
###########################################################################################
|
||||
|
||||
###########################################################################################
|
||||
# Setup ssh server
|
||||
# Globals:
|
||||
# DIR_BAK
|
||||
# DIR_LOG
|
||||
# FINAL_FQDN
|
||||
# FINAL_IPV4_ADDRESS
|
||||
# FINAL_IPV6_ADDRESS
|
||||
# MODULE_ERR
|
||||
# MODULE_TXT
|
||||
# PATH_ABS
|
||||
# TARGET
|
||||
# accounts_ssh
|
||||
# accounts_user_login
|
||||
# accounts_user_name
|
||||
# Arguments:
|
||||
# None
|
||||
###########################################################################################
|
||||
3_8_2_functions_installation_setup_ssh() {
|
||||
declare -g -x MODULE_ERR="3_8_2_functions_installation_setup_ssh"
|
||||
declare -g -x MODULE_TXT="Setup ssh"
|
||||
do_show_header "${MODULE_TXT}"
|
||||
|
||||
do_in_target "${TARGET}" apt-get install -y ssh
|
||||
do_log "info" "false" "Command: 'apt-get install -y ssh' executed in: '${TARGET}'."
|
||||
|
||||
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
|
||||
|
||||
do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${FINAL_FQDN}-$(date -I)"
|
||||
do_log "info" "false" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
|
||||
|
||||
do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${FINAL_FQDN}-$(date -I)"
|
||||
do_log "info" "false" "Generated RSA4096 SSH Key, executed in chroot."
|
||||
|
||||
declare TIMESTAMP
|
||||
TIMESTAMP=$(do_get_timestamp)
|
||||
|
||||
echo "${TIMESTAMP}" >> "${DIR_LOG}"sshd_config.log && sshd -T >> "${DIR_LOG}"sshd_config.log
|
||||
echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log && ssh-keygen -r @ >> "${DIR_LOG}"ssh.log
|
||||
|
||||
cp -u "${TARGET}"/etc/ssh/sshd_config "${DIR_BAK}"sshd_config.bak
|
||||
chmod 0644 "${DIR_BAK}"sshd_config.bak
|
||||
cp -u "${TARGET}"/etc/ssh/ssh_config "${DIR_BAK}"ssh_config.bak
|
||||
chmod 0644 "${DIR_BAK}"ssh_config.bak
|
||||
|
||||
rm "${TARGET}"/etc/ssh/sshd_config
|
||||
|
||||
cp "${PATH_ABS}"/.assets/sshd_config "${TARGET}"/etc/ssh/sshd_config
|
||||
|
||||
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${FINAL_IPV4_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config
|
||||
|
||||
if [[ -n ${FINAL_IPV6_ADDRESS} ]]; then
|
||||
sed -i "s/ListenAddress ::/ListenAddress ${FINAL_IPV6_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config
|
||||
else
|
||||
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}"/etc/ssh/sshd_config
|
||||
fi
|
||||
|
||||
sed -i "s/Port 22/Port ${accounts_ssh-port}/" "${TARGET}"/etc/ssh/sshd_config
|
||||
|
||||
if [[ ${accounts_user_login,,} == "true" ]]; then
|
||||
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root ${accounts_user_name}/" "${TARGET}"/etc/ssh/sshd_config
|
||||
else
|
||||
sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root/" "${TARGET}"/etc/ssh/sshd_config
|
||||
fi
|
||||
|
||||
chmod 0600 "${TARGET}"/etc/ssh/sshd_config "${TARGET}"/etc/ssh/ssh_config
|
||||
TIMESTAMP=$(do_get_timestamp)
|
||||
echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log
|
||||
do_in_target "${TARGET}" /bin/bash -c "sshd -T >> ${DIR_LOG}ssh.log"
|
||||
|
||||
###########################################################################################
|
||||
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only #
|
||||
# environment variables: TMOUT and HISTFILE. #
|
||||
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
|
||||
# readonly HISTFILE ensures that the command history cannot be changed. #
|
||||
# The chmod +x command ensures that the file is executed in every shell session. #
|
||||
###########################################################################################
|
||||
echo "readonly TMOUT=14400" >> "${TARGET}"/etc/profile.d/idle-users.sh
|
||||
echo "readonly HISTFILE" >> "${TARGET}"/etc/profile.d/idle-users.sh
|
||||
chmod +x "${TARGET}"/etc/profile.d/idle-users.sh
|
||||
|
||||
do_show_footer "${MODULE_TXT}"
|
||||
}
|
||||
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:
|
||||
Reference in New Issue
Block a user