Your message dated Fri, 16 Aug 2024 17:32:25 -0700
with message-id <4aba434e-4c38-4532-8f8b-ead4cbb15...@medhas.org>
and subject line We continue to use Debian's defaults
has caused the Debian Bug report #804608,
regarding freedombox-setup: [PATCH] Configure ssh server
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
804608: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=804608
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: freedombox-setup
Severity: wishlist
It seems odd sending a patch as a bug report, but freedombox-discuss just
gives me "550 Administrative prohibition".
This patch adds some extra hardening to the ssh server settings, in
accordance with the recommendations on bettercrypto.org.
Possibly /bin/bash could be /bin/sh
---
setup.d/15_ssh_server | 36 ++++++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
create mode 100755 setup.d/15_ssh_server
diff --git a/setup.d/15_ssh_server b/setup.d/15_ssh_server
new file mode 100755
index 0000000..0685a95
--- /dev/null
+++ b/setup.d/15_ssh_server
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# This script hardens the ssh server settings, using recommendations
+# from bettercrypto.org
+
+SSH_CIPHERS="chacha20-poly1...@openssh.com,aes256-...@openssh.com,aes128-...@openssh.com,aes256-ctr,aes128-ctr"
+SSH_MACS="hmac-sha2-512-...@openssh.com,hmac-sha2-256-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160"
+SSH_KEX="curve25519-sha...@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1"
+
+sed -i 's/Protocol .*/Protocol 2/g' /etc/ssh/sshd_config
+sed -i 's/StrictModes.*/StrictModes yes/g' /etc/ssh/sshd_config
+sed -i 's/PermitEmptyPasswords.*/PermitEmptyPasswords no/g'
/etc/ssh/sshd_config
+sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
+sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
+sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
+if ! grep -q '#HostKey' /etc/ssh/sshd_config; then
+ sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey
/etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
+ sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey
/etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
+fi
+if grep -q 'Ciphers' /etc/ssh/sshd_config; then
+ sed -i "s|Ciphers.*|Ciphers ${SSH_CIPHERS}|g" /etc/ssh/sshd_config
+else
+ echo "Ciphers ${SSH_CIPHERS}" >> /etc/ssh/sshd_config
+fi
+if grep -q 'MACs' /etc/ssh/sshd_config; then
+ sed -i "s|MACs.*|MACs ${SSH_MACS}|g" /etc/ssh/sshd_config
+else
+ echo "MACs ${SSH_MACS}" >> /etc/ssh/sshd_config
+fi
+if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
+ sed -i "s|KexAlgorithms.*|KexAlgorithms ${SSH_KEX}|g" /etc/ssh/sshd_config
+else
+ echo "KexAlgorithms ${SSH_KEX}" >> /etc/ssh/sshd_config
+fi
+
+echo "Done configuring ssh server."
--
2.4.1
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
Hello,
We have been continuing to use Debian's SSH defaults. These is not a lot
of agreement to overwriting Debian's defaults in FreedomBox.
I am closing this issue for now.
Thanks,
--
Sunil
--- End Message ---
