V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/9930_hardening_ssh.chroot

@@ -12,6 +12,10 @@
 set -Ceuo pipefail
 
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+declare _key="" _old_nullglob=""
+_old_nullglob="$(shopt -p nullglob || true)"
+
+shopt -s nullglob
 
 cd /etc/ssh
 
@@ -86,6 +90,22 @@ Requires=ufw.service
 EOF
 chmod 0644 /etc/systemd/system/ssh.service.d/override.conf
 
+### Final checks. Verify host keys after installation.
+if command -v ssh-keygen >/dev/null 2>&1; then
+
+  for _key in /etc/ssh/ssh_host_*key; do
+
+    ssh-keygen -lf "${_key}" >/dev/null || exit 1
+    ssh-keygen -yf "${_key}" >/dev/null || exit 1
+
+  done
+
+fi
+
+/usr/sbin/sshd -t || exit 1
+
+eval "${_old_nullglob}" 2>/dev/null || true
+
 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
 
 exit 0