msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb4b256e72177bd90a2064d9de2a299f6f5b7f1e7dc82db9be465ad0e4c19fdf
CISS.debian.installer/func/4180_setup_ssh.sh
Marc S. Weidner 6a67646fb6 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-07-17 13:42:37 +02:00

98 lines
4.2 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Setup ssh server.
# Globals:
# DIR_BAK
# DIR_LOG
# TARGET
# VAR_FINAL_FQDN
# VAR_FINAL_IPV4
# VAR_FINAL_IPV6
# VAR_SETUP_PATH
# user_ssh_port
# user_user0_name
# Arguments:
# None
# Returns:
# 0: on success
#######################################
setup_ssh() {
do_in_target "${TARGET}" apt-get install -y ssh
declare -a ary_user=()
ary_user+=("${user_user0_name}")
[[ -v "${user_user1_name}" ]] && ary_user+=("${user_user1_name}")
[[ -v "${user_user2_name}" ]] && ary_user+=("${user_user2_name}")
[[ -v "${user_user3_name}" ]] && ary_user+=("${user_user3_name}")
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
do_log "info" "true" "Generated ed25519 SSH Key, executed in: '${TARGET}'."
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
do_log "info" "true" "Generated RSA4096 SSH Key, executed in: '${TARGET}'."
mkdir -p "${DIR_BAK}/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${DIR_BAK}/etc/ssh/sshd_config.bak"
chmod 0644 "${DIR_BAK}/etc/ssh/sshd_config.bak"
cp "${TARGET}/etc/ssh/ssh_config" "${DIR_BAK}/etc/ssh/ssh_config.bak"
chmod 0644 "${DIR_BAK}/etc/ssh/ssh_config.bak"
rm -f "${TARGET}/etc/ssh/sshd_config"
cp "${VAR_SETUP_PATH}/includes/etc/ssh/sshd_config" "${TARGET}/etc/ssh/sshd_config"
chmod 0600 "${TARGET}/etc/ssh/sshd_config"
chmod 0600 "${TARGET}/etc/ssh/ssh_config"
sed -i "s/ListenAddress 0.0.0.0/ListenAddress ${VAR_FINAL_IPV4}/" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${VAR_FINAL_IPV6}" ]]; then
sed -i "s/ListenAddress ::/ListenAddress ${VAR_FINAL_IPV6}/" "${TARGET}/etc/ssh/sshd_config"
else
sed -i "/^\s*ListenAddress\s*::/d" "${TARGET}/etc/ssh/sshd_config"
fi
sed -i "s/Port MUST_BE_CHANGED/Port ${user_ssh_port}/" "${TARGET}/etc/ssh/sshd_config"
if [[ -n "${user_user0_name}" ]]; then
sed -i "s/AllowUsers root/AllowUsers root ${ary_user[*]}/" "${TARGET}/etc/ssh/sshd_config"
fi
if [[ -n "${user_ssh_rootca}" ]]; then
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}${user_ssh_rootca}" "${TARGET}/etc/ssh/"
sed -i "s/TrustedUserCAKeys none/TrustedUserCAKeys \/etc\/ssh\/${user_ssh_rootca}/" "${TARGET}/etc/ssh/sshd_config"
fi
do_in_target_script "${TARGET}" "sshd -T >| ${DIR_LOG}/sshd_config.log"
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| ${DIR_LOG}/ssh.log"
###########################################################################################
# The file /etc/profile.d/idle-users.sh is created to set two read-only #
# environment variables: TMOUT and HISTFILE. #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed. #
# The chmod +x command ensures that the file is executed in every shell session. #
###########################################################################################
echo "readonly TMOUT=14400" >| "${TARGET}/etc/profile.d/idle-users.sh"
#echo "readonly HISTFILE" >> "${TARGET}/etc/profile.d/idle-users.sh"
chmod +x "${TARGET}/etc/profile.d/idle-users.sh"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink