msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

V8.13.404.2025.11.10
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m27s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-11-10 16:03:39 +01:00
parent 95d5de1b26
commit 3c4aa96744
3 changed files with 15 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
config/hooks/live/0022_dropbear_setup.chroot
View File

@@ -10,7 +10,6 @@
# SPDX-PackageName: CISS.debian.live.builder # SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail set -Ceuo pipefail
set -x
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
@@ -37,8 +36,8 @@ dropbear_setup() {
if [[ -d /root/ssh ]]; then if [[ -d /root/ssh ]]; then
dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key /etc/dropbear/initramfs/dropbear_ed25519_host_key dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key /etc/dropbear/initramfs/dropbear_ed25519_host_key
dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key >| /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
else else
@@ -50,6 +49,9 @@ dropbear_setup() {
fi fi
chmod 0600 /etc/dropbear/initramfs/dropbear_ed25519_host_key
chmod 0644 /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
### Prepare dropbear authorized_keys. ### Prepare dropbear authorized_keys.
printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys printf "%s\n" "${var_force_command_string}${user_root_sshpubkey}" >| /etc/dropbear/initramfs/authorized_keys
chmod 0600 /etc/dropbear/initramfs/authorized_keys chmod 0600 /etc/dropbear/initramfs/authorized_keys
@@ -84,6 +86,9 @@ write_dropbear_conf() {
[[ -z "${sshport:-}" ]] && sshport="2222" [[ -z "${sshport:-}" ]] && sshport="2222"
### CISS internal
[[ "${sshport}" == "42137" ]] && sshport="44137"
cat << EOF >| /etc/dropbear/initramfs/dropbear.conf cat << EOF >| /etc/dropbear/initramfs/dropbear.conf
# SPDX-Version: 3.0 # SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev> # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>

7
config/hooks/live/9930_hardening_ssh.chroot
View File

@@ -12,10 +12,14 @@
set -Ceuo pipefail set -Ceuo pipefail
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
declare _key="" _old_nullglob="" declare _key="" _old_nullglob="" _old_dotglob="" _old_failglob=""
### Enable nullglob/dotglob, disable failglob for safe globbing.
_old_nullglob="$(shopt -p nullglob || true)" _old_nullglob="$(shopt -p nullglob || true)"
_old_failglob="$(shopt -p failglob || true)"
shopt -s nullglob shopt -s nullglob
shopt -u failglob
cd /etc/ssh cd /etc/ssh
@@ -110,6 +114,7 @@ fi
/usr/sbin/sshd -t || exit 42 /usr/sbin/sshd -t || exit 42
eval "${_old_nullglob}" 2>/dev/null || true eval "${_old_nullglob}" 2>/dev/null || true
eval "${_old_failglob}" 2>/dev/null || true
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

2
lib/lib_primordial.sh
View File

@@ -150,7 +150,7 @@ normalize_ssh_key_file() {
fi fi
sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt" sha256sum "${var_key_file}" >| "${var_key_file}.sha256sum.txt"
chmod 0444 "${var_key_file}.sha256sum.txt" chmod 0440 "${var_key_file}.sha256sum.txt"
fi fi