File: 99-harden-sshd-config

package info (click to toggle)
python-diskimage-builder 3.37.0-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 5,572 kB
  • sloc: sh: 7,380; python: 6,444; makefile: 37
file content (30 lines) | stat: -rwxr-xr-x 1,364 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
#!/bin/bash
if [ ${DIB_DEBUG_TRACE:-1} -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail

if [ ${DIB_OPENSSH_SERVER_HARDENING:-1} -eq 1 ]; then
    macs="MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
    ciphers="Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
    kexalgorithms="KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"

    if ! grep -qE "^MACs" /etc/ssh/sshd_config; then
        sed -i "/# Ciphers and keying/a $macs" /etc/ssh/sshd_config
    elif ! grep -qE "$macs" /etc/ssh/sshd_config; then
        sed -i "s/^MACs.*/$macs/" /etc/ssh/sshd_config
    fi

    if ! grep -qE "^Ciphers" /etc/ssh/sshd_config; then
        sed -i "/# Ciphers and keying/a $ciphers" /etc/ssh/sshd_config
    elif ! grep -qE "$ciphers" /etc/ssh/sshd_config; then
        sed -i "s/^Ciphers.*/$ciphers/" /etc/ssh/sshd_config
    fi

    if ! grep -qE "^KexAlgorithms" /etc/ssh/sshd_config; then
        sed -i "/# Ciphers and keying/a $kexalgorithms" /etc/ssh/sshd_config
    elif ! grep -qE "$kexalgorithms" /etc/ssh/sshd_config; then
        sed -i "s/^KexAlgorithms.*/$kexalgorithms/" /etc/ssh/sshd_config
    fi
fi