#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 # SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework. # SPDX-PackageName: CISS.2025.hardened.installer # SPDX-Security-Contact: security@coresecret.eu ########################################################################################### # 3.8.2. Functions - installation - setup ssh # ########################################################################################### ########################################################################################### # Setup ssh server # Globals: # DIR_BAK # DIR_LOG # FINAL_FQDN # FINAL_IPV4_ADDRESS # FINAL_IPV6_ADDRESS # MODULE_ERR # MODULE_TXT # PATH_ABS # TARGET # accounts_ssh # accounts_user_login # accounts_user_name # Arguments: # None ########################################################################################### 3_8_2_functions_installation_setup_ssh() { declare -g -x MODULE_ERR="3_8_2_functions_installation_setup_ssh" declare -g -x MODULE_TXT="Setup ssh" do_show_header "${MODULE_TXT}" do_in_target "${TARGET}" apt-get install -y ssh do_log "info" "false" "Command: 'apt-get install -y ssh' executed in: '${TARGET}'." rm -rf "${TARGET}"/etc/ssh/ssh_host_*key* do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${FINAL_FQDN}-$(date -I)" do_log "info" "false" "Generated ed25519 SSH Key, executed in: '${TARGET}'." do_in_target "${TARGET}" ssh-keygen -o -a "${accounts_ssh-keyrounds}" -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${FINAL_FQDN}-$(date -I)" do_log "info" "false" "Generated RSA4096 SSH Key, executed in chroot." declare TIMESTAMP TIMESTAMP=$(do_get_timestamp) echo "${TIMESTAMP}" >> "${DIR_LOG}"sshd_config.log && sshd -T >> "${DIR_LOG}"sshd_config.log echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log && ssh-keygen -r @ >> "${DIR_LOG}"ssh.log cp -u "${TARGET}"/etc/ssh/sshd_config "${DIR_BAK}"sshd_config.bak chmod 0644 "${DIR_BAK}"sshd_config.bak cp -u "${TARGET}"/etc/ssh/ssh_config "${DIR_BAK}"ssh_config.bak chmod 0644 "${DIR_BAK}"ssh_config.bak rm "${TARGET}"/etc/ssh/sshd_config cp "${PATH_ABS}"/.assets/sshd_config "${TARGET}"/etc/ssh/sshd_config sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${FINAL_IPV4_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config if [[ -n ${FINAL_IPV6_ADDRESS} ]]; then sed -i "s/ListenAddress ::/ListenAddress ${FINAL_IPV6_ADDRESS}/" "${TARGET}"/etc/ssh/sshd_config else sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}"/etc/ssh/sshd_config fi sed -i "s/Port 22/Port ${accounts_ssh-port}/" "${TARGET}"/etc/ssh/sshd_config if [[ ${accounts_user_login,,} == "true" ]]; then sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root ${accounts_user_name}/" "${TARGET}"/etc/ssh/sshd_config else sed -i "s/AllowUsers DUMMYSTRING/AllowUsers root/" "${TARGET}"/etc/ssh/sshd_config fi chmod 0600 "${TARGET}"/etc/ssh/sshd_config "${TARGET}"/etc/ssh/ssh_config TIMESTAMP=$(do_get_timestamp) echo "${TIMESTAMP}" >> "${DIR_LOG}"ssh.log do_in_target "${TARGET}" /bin/bash -c "sshd -T >> ${DIR_LOG}ssh.log" ########################################################################################### # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only # # environment variables: TMOUT and HISTFILE. # # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.# # readonly HISTFILE ensures that the command history cannot be changed. # # The chmod +x command ensures that the file is executed in every shell session. # ########################################################################################### echo "readonly TMOUT=14400" >> "${TARGET}"/etc/profile.d/idle-users.sh echo "readonly HISTFILE" >> "${TARGET}"/etc/profile.d/idle-users.sh chmod +x "${TARGET}"/etc/profile.d/idle-users.sh do_show_footer "${MODULE_TXT}" } # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh: