From 3c4aa967440ed0b32a69d1c60bfdb3a8806e69ff510fdf35f9ef99e329530d3b Mon Sep 17 00:00:00 2001
From: "Marc S. Weidner" <msw@coresecret.dev>
Date: Mon, 10 Nov 2025 16:03:39 +0100
Subject: [PATCH] V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
---
 config/hooks/live/0022_dropbear_setup.chroot | 11 ++++++++---
 config/hooks/live/9930_hardening_ssh.chroot  |  7 ++++++-
 lib/lib_primordial.sh                        |  2 +-
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/config/hooks/live/0022_dropbear_setup.chroot b/config/hooks/live/0022_dropbear_setup.chroot
index f2b4d1c..60fdbcc 100644
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -10,7 +10,6 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail
-set -x
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
 
@@ -37,8 +36,8 @@ dropbear_setup() {
 
   if [[ -d /root/ssh ]]; then
 
-    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key     /etc/dropbear/initramfs/dropbear_ed25519_host_key
-    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key        /etc/dropbear/initramfs/dropbear_ed25519_host_key
+    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
 
   else
 
@@ -50,6 +49,9 @@ dropbear_setup() {
 
   fi
 
+  chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
+  chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
+
   ### Prepare dropbear authorized_keys.
   printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
   chmod 0600 /etc/dropbear/initramfs/authorized_keys
@@ -84,6 +86,9 @@ write_dropbear_conf() {
 
   [[ -z "${sshport:-}" ]] && sshport="2222"
 
+  ### CISS internal
+  [[ "${sshport}" == "42137" ]] && sshport="44137"
+
   cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
 # SPDX-Version: 3.0
 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
diff --git a/config/hooks/live/9930_hardening_ssh.chroot b/config/hooks/live/9930_hardening_ssh.chroot
index 07b0693..9713e0f 100644
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -12,10 +12,14 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
-declare _key="" _old_nullglob=""
+declare _key="" _old_nullglob="" _old_dotglob="" _old_failglob=""
+
+### Enable nullglob/dotglob, disable failglob for safe globbing.
 _old_nullglob="$(shopt -p nullglob || true)"
+_old_failglob="$(shopt -p failglob || true)"
 
 shopt -s nullglob
+shopt -u failglob
 
 cd /etc/ssh
 
@@ -110,6 +114,7 @@ fi
 /usr/sbin/sshd -t || exit 42
 
 eval "${_old_nullglob}" 2>/dev/null || true
+eval "${_old_failglob}" 2>/dev/null || true
 
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
diff --git a/lib/lib_primordial.sh b/lib/lib_primordial.sh
index 2561148..d8dfaa4 100644
--- a/lib/lib_primordial.sh
+++ b/lib/lib_primordial.sh
@@ -150,7 +150,7 @@ normalize_ssh_key_file() {
     fi
 
     sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt"
-    chmod 0444 "${var_key_file}.sha256sum.txt"
+    chmod 0440 "${var_key_file}.sha256sum.txt"
 
   fi