diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml index 506d94c..660ca45 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_0.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1023 + counter: 1024 version: V8.13.128.2025.10.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml index 506d94c..660ca45 100644 --- a/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml +++ b/.gitea/trigger/t_generate_PRIVATE_trixie_1.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1023 + counter: 1024 version: V8.13.128.2025.10.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/.gitea/trigger/t_generate_PUBLIC.yaml b/.gitea/trigger/t_generate_PUBLIC.yaml index 10667de..8984167 100644 --- a/.gitea/trigger/t_generate_PUBLIC.yaml +++ b/.gitea/trigger/t_generate_PUBLIC.yaml @@ -10,6 +10,6 @@ # SPDX-Security-Contact: security@coresecret.eu build: - counter: 1023 + counter: 1024 version: V8.13.128.2025.10.10 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=yaml diff --git a/config/hooks/live/0040_ssh_config_setup.chroot b/config/hooks/live/0040_ssh_config_setup.chroot new file mode 100644 index 0000000..3c10a84 --- /dev/null +++ b/config/hooks/live/0040_ssh_config_setup.chroot @@ -0,0 +1,44 @@ +#!/bin/bash +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu +set -Ceuo pipefail + +printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" + +cat << EOF >> /etc/ssh/ssh_config.d/10-sshfp.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu + +Host git.coresecret.dev + Port 42842 + VerifyHostKeyDNS yes + StrictHostKeyChecking yes + GlobalKnownHostsFile /etc/ssh/ssh_known_hosts + UserKnownHostsFile /dev/null + HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 + CanonicalizeHostname no + UpdateHostKeys no + +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf +EOF + +printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" + +exit 0 +# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/hooks/live/0810_chrony_setup.chroot b/config/hooks/live/0810_chrony_setup.chroot index 33a7d43..ba36fa5 100644 --- a/config/hooks/live/0810_chrony_setup.chroot +++ b/config/hooks/live/0810_chrony_setup.chroot @@ -1,6 +1,6 @@ #!/bin/bash # SPDX-Version: 3.0 -# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; +# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; @@ -14,14 +14,27 @@ set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" mkdir -p /var/log/chrony -# See https://coresecret.eu/tutorials/debian-package-glossary/ for a brief description of the installed packages. + +export DEBIAN_FRONTEND="noninteractive" apt-get install chrony -y + systemctl enable chrony.service mv /etc/chrony/chrony.conf /root/.ciss/dlb/backup/chrony.conf.bak -chmod 644 /root/.ciss/dlb/backup/chrony.conf.bak +chmod 0644 /root/.ciss/dlb/backup/chrony.conf.bak + +cat << EOF >| /etc/chrony/chrony.conf +# SPDX-Version: 3.0 +# SPDX-CreationInfo: 2025-10-10; WEIDNER, Marc S.; +# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git +# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency +# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; +# SPDX-FileType: SOURCE +# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0 +# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. +# SPDX-PackageName: CISS.debian.live.builder +# SPDX-Security-Contact: security@coresecret.eu -cat << 'EOF' >| /etc/chrony/chrony.conf # Include configuration files found in /etc/chrony/conf.d. confdir /etc/chrony/conf.d driftfile /var/lib/chrony/chrony.drift @@ -35,16 +48,14 @@ log tracking measurements statistics authselectmode require -server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9 -server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9 -server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9 -server ptbtime4.ptb.de iburst nts minpoll 5 maxpoll 9 -server sth1.ntp.se iburst nts minpoll 5 maxpoll 9 -server ntp0.fau.de iburst nts minpoll 5 maxpoll 9 -server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9 -# server ntp.ripe.net iburst nts minpoll 5 maxpoll 9 -# server ntp2.tecnico.ulisboa.pt iburst nts minpoll 5 maxpoll 9 -# server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9 +server ntp.ripe.net iburst nts minpoll 5 maxpoll 9 +server ptbtime3.ptb.de iburst nts minpoll 5 maxpoll 9 +server ptbtime2.ptb.de iburst nts minpoll 5 maxpoll 9 +server ptbtime1.ptb.de iburst nts minpoll 5 maxpoll 9 +server ntp13.metas.ch iburst nts minpoll 5 maxpoll 9 +server time-c-b.nist.gov iburst nts minpoll 5 maxpoll 9 +server sth1.ntp.se iburst nts minpoll 5 maxpoll 9 +server ntp0.fau.de iburst nts minpoll 5 maxpoll 9 leapsectz right/UTC @@ -57,10 +68,9 @@ rtcsync makestep 1 3 EOF -chmod 644 /etc/chrony/chrony.conf +chmod 0644 /etc/chrony/chrony.conf printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" -# sleep 1 exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh diff --git a/config/includes.chroot/etc/ssh/sshd_config b/config/includes.chroot/etc/ssh/sshd_config index 1a981a7..27fd7f7 100644 --- a/config/includes.chroot/etc/ssh/sshd_config +++ b/config/includes.chroot/etc/ssh/sshd_config @@ -131,14 +131,4 @@ HostbasedAuthentication no # PermitUserEnvironment no # IgnoreUserKnownHosts no -Host git.coresecret.dev - Port 42842 - VerifyHostKeyDNS yes - StrictHostKeyChecking yes - GlobalKnownHostsFile /etc/ssh/ssh_known_hosts - UserKnownHostsFile /dev/null - HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256 - CanonicalizeHostname no - UpdateHostKeys no - # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 323e37a..f2520c9 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -12,6 +12,12 @@ include_toc: true # 2. Changelog +## V8.13.128.2025.10.10 + +* **Added**: [0040_ssh_config_setup.chroot](../config/hooks/live/0040_ssh_config_setup.chroot) +* **Updated**: [0810_chrony_setup.chroot](../config/hooks/live/0810_chrony_setup.chroot) +* **Updated**: [sshd_config](../config/includes.chroot/etc/ssh/sshd_config) + ## V8.13.096.2025.10.09 * **Added**: [0010_install_apparmor.chroot](../config/hooks/live/0010_install_apparmor.chroot) * **Added**: [10-sshfp.conf](../.archive/10-sshfp.conf)