msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-17 20:48:58 +02:00
parent 458dcfdb98
commit 559f36d906
29 changed files with 443 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
func/cdi_4400_hardening/4420_installation_ssh.sh
View File

@@ -36,7 +36,7 @@ installation_ssh() {
declare -i i=0
declare var_auth="" var_name="" var_ca=""
do_in_target "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
@@ -55,9 +55,9 @@ installation_ssh() {
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
#shellcheck disable=SC2312
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
#shellcheck disable=SC2312
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
@@ -91,20 +91,20 @@ installation_ssh() {
fi
### Preparing the test environment in chroot.
do_in_target "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
chroot_exec "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
### Syntax test (hard).
if ! do_in_target_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
if ! chroot_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
return "${ERR_CONF_VALIDATION}"
fi
### Effective configuration (soft, purely informative).
if ! do_in_target_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
if ! chroot_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
fi
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
###########################################################################################
# The file /etc/profile.d/idle-users.sh is created to set the read-only #