V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-10 15:06:38 +01:00
parent da2f981cd6
commit e0ba06ba46
2 changed files with 17 additions and 6 deletions
--- a/config/hooks/live/0022_dropbear_setup.chroot
+++ b/config/hooks/live/0022_dropbear_setup.chroot
@@ -27,7 +27,6 @@ export DEBIAN_FRONTEND="noninteractive" INITRD="No"
 #######################################
 dropbear_setup() {
  ### Declare Arrays, HashMaps, and Variables.
  declare network_static_ipv4ntpserver_0="192.53.103.108"
  # shellcheck disable=SC2155
  declare user_root_sshpubkey="$(< /root/.ssh/authorized_keys)"
  declare var_force_command_string='command="/usr/local/bin/unlock_wrapper.sh",no-agent-forwarding,no-port-forwarding,no-X11-forwarding '
@@ -37,11 +36,18 @@ dropbear_setup() {
  if [[ -d /root/ssh ]]; then
    # shellcheck disable=SC2155
    declare _tmp=$(mktemp)
    cp -f -- /root/ssh/ssh_host_rsa_key "${_tmp}"
    ssh-keygen -p -N '' -m PEM -f "${_tmp}"
    dropbearconvert openssh dropbear /root/ssh/ssh_host_ed25519_key     /etc/dropbear/initramfs/dropbear_ed25519_host_key
-    dropbearconvert openssh dropbear /root/ssh/ssh_host_rsa_key         /etc/dropbear/initramfs/dropbear_rsa_host_key
+    dropbearconvert openssh dropbear "${_tmp}"                          /etc/dropbear/initramfs/dropbear_rsa_host_key
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_ed25519_host_key /etc/dropbear/initramfs/dropbear_ed25519_host_key.pub
    dropbearkey -y -f /etc/dropbear/initramfs/dropbear_rsa_host_key     /etc/dropbear/initramfs/dropbear_rsa_host_key.pub
    rm -f "${_tmp}"
  else
    # shellcheck disable=SC2312
--- a/config/hooks/live/9930_hardening_ssh.chroot
+++ b/config/hooks/live/9930_hardening_ssh.chroot
@@ -24,6 +24,7 @@ rm -rf ssh_host_*key*
 if [[ -d /root/ssh ]]; then
  mv /root/ssh/ssh_host_*key* /etc/ssh
  mv /root/ssh/*sha256sum.txt /etc/ssh
  rm -rf /root/ssh
 else
@@ -40,6 +41,8 @@ chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
 chmod 0440 /etc/ssh/*sha256sum.txt
 chown root:root /etc/ssh/*sha256sum.txt
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
@@ -47,7 +50,6 @@ mv /etc/ssh/moduli.safe /etc/ssh/moduli
 chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 ###########################################################################################
@@ -95,14 +97,17 @@ if command -v ssh-keygen >/dev/null 2>&1; then
  for _key in /etc/ssh/ssh_host_*key; do
-    ssh-keygen -lf "${_key}" >/dev/null || exit 1
+    ### Only consider regular files
-    ssh-keygen -yf "${_key}" >/dev/null || exit 1
+    [[ -f "${_key}" ]] || continue
    ssh-keygen -lf "${_key}" >/dev/null || exit 42
    ssh-keygen -yf "${_key}" >/dev/null || exit 42
  done
 fi
-/usr/sbin/sshd -t || exit 1
+/usr/sbin/sshd -t || exit 42
 eval "${_old_nullglob}" 2>/dev/null || true