diff options
Diffstat (limited to 'projectroot')
-rw-r--r-- | projectroot/etc/rc.once.d/openssh | 68 | ||||
-rw-r--r-- | projectroot/etc/ssh/sshd_config | 66 |
2 files changed, 91 insertions, 43 deletions
diff --git a/projectroot/etc/rc.once.d/openssh b/projectroot/etc/rc.once.d/openssh index 83e6e37de..a49ddee0a 100644 --- a/projectroot/etc/rc.once.d/openssh +++ b/projectroot/etc/rc.once.d/openssh @@ -1,33 +1,53 @@ #!/bin/sh -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +PATH=/sbin:/bin:/usr/sbin:/usr/bin -OPENSSH_RSAKEY_DEFAULT="/etc/ssh/ssh_host_rsa_key" -OPENSSH_DSAKEY_DEFAULT="/etc/ssh/ssh_host_dsa_key" - -test -n "$OPENSSH_RSAKEY" || \ - OPENSSH_RSAKEY=$OPENSSH_RSAKEY_DEFAULT -test -n "$OPENSSH_DSAKEY" || \ - OPENSSH_DSAKEY=$OPENSSH_DSAKEY_DEFAULT - -gen_key() { - - key_type=$1 - key_file=$2 - - rm -f $key_file > /dev/null 2>&1 - - echo -n "generating $key_type key..." - ssh-keygen -t $key_type -f $key_file -N "" > /dev/null 2>&1 +get_hostkeys() { + [ -f /etc/ssh/sshd_config ] || return + sed -n 's/^HostKey[ \t][ \t]*\(.*\)/\1/p' /etc/ssh/sshd_config +} - if [ "$?" = "0" ]; then - echo "done" +host_keys_required() { + hostkeys="$(get_hostkeys)" + if [ "$hostkeys" ]; then + echo "$hostkeys" else - echo "failed" - exit 1 + # No HostKey directives found, so we pick secure defaults + echo /etc/ssh/ssh_host_ed25519_key + echo /etc/ssh/ssh_host_rsa_key fi } -gen_key rsa "$OPENSSH_RSAKEY" -gen_key dsa "$OPENSSH_DSAKEY" +create_key() { + msg="$1" + shift + hostkeys="$1" + shift + file="$1" + shift + + if echo "$hostkeys" | grep -x "$file" >/dev/null; then + echo "$msg; this may take some time ..." + rm -f $file && + ssh-keygen -q -f "$file" -N '' "$@" || return + echo "$msg; done." + fi +} + +create_keys() { + hostkeys="$(host_keys_required)" + + create_key "Creating DSA key" \ + "$hostkeys" /etc/ssh/ssh_host_dsa_key -t dsa && + create_key "Creating ECDSA key" \ + "$hostkeys" /etc/ssh/ssh_host_ecdsa_key -t ecdsa && + create_key "Creating ED25519 key" \ + "$hostkeys" /etc/ssh/ssh_host_ed25519_key -t ed25519 && + create_key "Creating RSA key" \ + "$hostkeys" /etc/ssh/ssh_host_rsa_key -t rsa -b 4096 +} +if ! create_keys; then + echo "Generating SSH keys failed!" + exit 1 +fi diff --git a/projectroot/etc/ssh/sshd_config b/projectroot/etc/ssh/sshd_config index 7cd7897b3..f53cb3d8f 100644 --- a/projectroot/etc/ssh/sshd_config +++ b/projectroot/etc/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -7,24 +7,31 @@ # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a +# possible, but leave them commented. Uncommented options override the # default value. -Port 22 -Protocol 2 +#Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: +# The default requires explicit activation of protocol 1 +#Protocol 2 + # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key -HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_dsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h -#ServerKeyBits 768 +#ServerKeyBits 1024 + +# Ciphers and keying +#RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging @@ -37,10 +44,19 @@ HostKey /etc/ssh/ssh_host_dsa_key PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 +#MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no @@ -69,37 +85,49 @@ PermitRootLogin yes #GSSAPIAuthentication no #GSSAPICleanupCredentials yes -# Set this to 'yes' to enable PAM authentication, account processing, -# and session processing. If this is enabled, PAM authentication will -# be allowed through the ChallengeResponseAuthentication mechanism. -# Depending on your PAM configuration, this may bypass the setting of -# PasswordAuthentication, PermitEmptyPasswords, and -# "PermitRootLogin without-password". If you just want the PAM account and -# session checks to run without PAM authentication, then enable this but set -# ChallengeResponseAuthentication=no +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. #UsePAM no +#AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes +#PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no -#UsePrivilegeSeparation yes +UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 -#UseDNS yes +#UseDNS no #PidFile /var/run/sshd.pid -#MaxStartups 10 +#MaxStartups 10:30:100 #PermitTunnel no +#ChrootDirectory none +#VersionAddendum none # no default banner path -#Banner /some/path +#Banner none # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server |