#!/bin/bash # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu set -Ceuo pipefail printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}" declare _key="" cd /etc/ssh rm -rf ssh_host_*key* if [[ -d /root/ssh ]]; then if compgen -G "/root/ssh/ssh_host_*" > /dev/null; then mv -t /etc/ssh -- /root/ssh/ssh_host_* fi if compgen -G "/root/ssh/*sha256sum.txt" > /dev/null; then mv -t /etc/ssh -- /root/ssh/*sha256sum.txt fi rm -rf /root/ssh else # shellcheck disable=SC2312 ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)" # shellcheck disable=SC2312 ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)" fi chmod 0600 /etc/ssh/ssh_host_*_key chown root:root /etc/ssh/ssh_host_*_key chmod 0644 /etc/ssh/ssh_host_*_key.pub chown root:root /etc/ssh/ssh_host_*_key.pub chmod 0440 /etc/ssh/*sha256sum.txt chown root:root /etc/ssh/*sha256sum.txt awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe rm -rf /etc/ssh/moduli mv /etc/ssh/moduli.safe /etc/ssh/moduli chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config ssh-keygen -r @ >| /root/sshfp ########################################################################################### # Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only # # environment variables: TMOUT and HISTFILE. # # TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.# # readonly HISTFILE ensures that the command history cannot be changed. # # The chmod +x command ensures that the file is executed in every shell session. # ########################################################################################### cat << 'EOF' >| /etc/profile.d/idle-users.sh # SPDX-Version: 3.0 # SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; # SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git # SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency # SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; # SPDX-FileType: SOURCE # SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1 # SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework. # SPDX-PackageName: CISS.debian.live.builder # SPDX-Security-Contact: security@coresecret.eu case $- in *i*) TMOUT=14400 export TMOUT readonly TMOUT ;; esac # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh EOF chmod +x /etc/profile.d/idle-users.sh mkdir -p /etc/systemd/system/ssh.service.d cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf [Unit] After=ufw.service Requires=ufw.service EOF chmod 0644 /etc/systemd/system/ssh.service.d/override.conf ### Final checks. Verify host keys after installation. if command -v ssh-keygen >/dev/null 2>&1; then for _key in /etc/ssh/ssh_host_*key; do ### Only consider regular files [[ -f "${_key}" ]] || continue ssh-keygen -lf "${_key}" >/dev/null || exit 42 ssh-keygen -yf "${_key}" >/dev/null || exit 42 done fi /usr/sbin/sshd -t || exit 42 printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}" exit 0 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh