CISS.debian.live.builder/config/hooks/live/9930_hardening_ssh.chroot

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
set -Ceuo pipefail

printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
declare _key=""

cd /etc/ssh

rm -rf ssh_host_*key*

if [[ -d /root/ssh ]]; then

  if compgen -G "/root/ssh/ssh_host_*" > /dev/null; then
    mv -t /etc/ssh -- /root/ssh/ssh_host_*
  fi

  if compgen -G "/root/ssh/*sha256sum.txt" > /dev/null; then
    mv -t /etc/ssh -- /root/ssh/*sha256sum.txt
  fi

  rm -rf /root/ssh

else

  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@live-$(date -I)"

  # shellcheck disable=SC2312
  ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@live-$(date -I)"

fi

chmod 0600 /etc/ssh/ssh_host_*_key
chown root:root /etc/ssh/ssh_host_*_key
chmod 0644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key.pub
chmod 0440 /etc/ssh/*sha256sum.txt
chown root:root /etc/ssh/*sha256sum.txt

awk '$5 >= 4000' /etc/ssh/moduli >| /etc/ssh/moduli.safe
rm -rf /etc/ssh/moduli
mv /etc/ssh/moduli.safe /etc/ssh/moduli

chmod 0600 /etc/ssh/sshd_config /etc/ssh/ssh_config

ssh-keygen -r @ >| /root/sshfp

###########################################################################################
# Remarks: The file /etc/profile.d/idle-users.sh is created to set two read-only          #
# environment variables: TMOUT and HISTFILE.                                              #
# TMOUT=14400 ensures that users are automatically logged out after 4 hours of inactivity.#
# readonly HISTFILE ensures that the command history cannot be changed.                   #
# The chmod +x command ensures that the file is executed in every shell session.          #
###########################################################################################
cat << 'EOF' >| /etc/profile.d/idle-users.sh
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-10-11; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

case $- in
  *i*)
    TMOUT=14400
    export TMOUT
    readonly TMOUT
  ;;
esac

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF

chmod +x /etc/profile.d/idle-users.sh

mkdir -p /etc/systemd/system/ssh.service.d
cat << 'EOF' >| /etc/systemd/system/ssh.service.d/override.conf
[Unit]
After=ufw.service
Requires=ufw.service
EOF
chmod 0644 /etc/systemd/system/ssh.service.d/override.conf

### Final checks. Verify host keys after installation.
if command -v ssh-keygen >/dev/null 2>&1; then

  for _key in /etc/ssh/ssh_host_*key; do

    ### Only consider regular files
    [[ -f "${_key}" ]] || continue

    ssh-keygen -lf "${_key}" >/dev/null || exit 42
    ssh-keygen -yf "${_key}" >/dev/null || exit 42

  done

fi

/usr/sbin/sshd -t || exit 42

printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"

exit 0
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh