V8.13.404.2025.11.10

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

config/hooks/live/9930_hardening_ssh.chroot

@@ -24,6 +24,7 @@ rm -rf ssh_host_*key*
 if [[ -d /root/ssh ]]; then
 
   mv /root/ssh/ssh_host_*key* /etc/ssh
+  mv /root/ssh/*sha256sum.txt /etc/ssh
   rm -rf /root/ssh
 
 else
@@ -40,6 +41,8 @@ chmod 0600 /etc/ssh/ssh_host_*_key
 chown root:root /etc/ssh/ssh_host_*_key
 chmod 0644 /etc/ssh/ssh_host_*_key.pub
 chown root:root /etc/ssh/ssh_host_*_key.pub
+chmod 0440 /etc/ssh/*sha256sum.txt
+chown root:root /etc/ssh/*sha256sum.txt
 
 awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
 rm -rf /etc/ssh/moduli
@@ -47,7 +50,6 @@ mv /etc/ssh/moduli.safe /etc/ssh/moduli
 
 chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config
 
-touch /root/sshfp
 ssh-keygen -r @ >| /root/sshfp
 
 ###########################################################################################
@@ -95,14 +97,17 @@ if command -v ssh-keygen >/dev/null 2>&1; then
 
   for _key in /etc/ssh/ssh_host_*key; do
 
-    ssh-keygen -lf "${_key}" >/dev/null || exit 1
-    ssh-keygen -yf "${_key}" >/dev/null || exit 1
+    ### Only consider regular files
+    [[ -f "${_key}" ]] || continue
+
+    ssh-keygen -lf "${_key}" >/dev/null || exit 42
+    ssh-keygen -yf "${_key}" >/dev/null || exit 42
 
   done
 
 fi
 
-/usr/sbin/sshd -t || exit 1
+/usr/sbin/sshd -t || exit 42
 
 eval "${_old_nullglob}" 2>/dev/null || true