Fix ssh configuration

This commit is contained in:
Bob Mottram 2017-06-01 20:51:19 +01:00
parent 9ae115059f
commit b4a038b8c4
2 changed files with 12 additions and 0 deletions

View File

@ -279,6 +279,7 @@ configure_ssh() {
fi fi
sed -i "s/Port .*/Port ${SSH_PORT}/g" $rootdir/etc/ssh/sshd_config sed -i "s/Port .*/Port ${SSH_PORT}/g" $rootdir/etc/ssh/sshd_config
sed -i "s/#Port ${SSH_PORT}/Port ${SSH_PORT}/g" $rootdir/etc/ssh/sshd_config
if [[ "$SSH_PUBKEY" != "no" ]]; then if [[ "$SSH_PUBKEY" != "no" ]]; then
if [ ! -d $rootdir/home/$MY_USERNAME/.ssh ]; then if [ ! -d $rootdir/home/$MY_USERNAME/.ssh ]; then
@ -287,6 +288,7 @@ configure_ssh() {
echo "$SSH_PUBKEY" > $rootdir/home/$MY_USERNAME/.ssh/authorized_keys echo "$SSH_PUBKEY" > $rootdir/home/$MY_USERNAME/.ssh/authorized_keys
chroot $rootdir /bin/chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh chroot $rootdir /bin/chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
sed -i 's|PasswordAuthentication.*|PasswordAuthentication no|g' $rootdir/etc/ssh/sshd_config sed -i 's|PasswordAuthentication.*|PasswordAuthentication no|g' $rootdir/etc/ssh/sshd_config
sed -i 's|#PasswordAuthentication no|PasswordAuthentication no|g' $rootdir/etc/ssh/sshd_config
echo $"Using ssh public key:" echo $"Using ssh public key:"
echo $SSH_PUBKEY echo $SSH_PUBKEY
echo $'Password ssh authentication turned off' echo $'Password ssh authentication turned off'

View File

@ -41,10 +41,15 @@ function configure_ssh {
return return
fi fi
sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config sed -i "s/Port .*/Port $SSH_PORT/g" /etc/ssh/sshd_config
sed -i "s/#Port ${SSH_PORT}/Port ${SSH_PORT}/g" /etc/ssh/sshd_config
sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config
sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config
sed -i 's/#ServerKeyBits 4096/ServerKeyBits 4096/g' /etc/ssh/sshd_config
sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config
sed -i 's/#TCPKeepAlive no/TCPKeepAlive no/g' /etc/ssh/sshd_config
sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config
sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config
if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then
@ -57,26 +62,31 @@ function configure_ssh {
else else
echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config echo 'ClientAliveInterval 60' >> /etc/ssh/sshd_config
fi fi
sed -i 's/#ClientAliveInterval 60/ClientAliveInterval 60/g' /etc/ssh/sshd_config
if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then if grep -q 'ClientAliveCountMax' /etc/ssh/sshd_config; then
sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config sed -i 's/ClientAliveCountMax.*/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
else else
echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config echo 'ClientAliveCountMax 3' >> /etc/ssh/sshd_config
fi fi
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
if grep -q 'Ciphers' /etc/ssh/sshd_config; then if grep -q 'Ciphers' /etc/ssh/sshd_config; then
sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config sed -i "s|Ciphers.*|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config
else else
echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config echo "Ciphers $SSH_CIPHERS" >> /etc/ssh/sshd_config
fi fi
sed -i "s|#Ciphers $SSH_CIPHERS|Ciphers $SSH_CIPHERS|g" /etc/ssh/sshd_config
if grep -q 'MACs' /etc/ssh/sshd_config; then if grep -q 'MACs' /etc/ssh/sshd_config; then
sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config sed -i "s|MACs.*|MACs $SSH_MACS|g" /etc/ssh/sshd_config
else else
echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config echo "MACs $SSH_MACS" >> /etc/ssh/sshd_config
fi fi
sed -i "s|#MACs $SSH_MACS|MACs $SSH_MACS|g" /etc/ssh/sshd_config
if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then if grep -q 'KexAlgorithms' /etc/ssh/sshd_config; then
sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config sed -i "s|KexAlgorithms.*|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config
else else
echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config echo "KexAlgorithms $SSH_KEX" >> /etc/ssh/sshd_config
fi fi
sed -i "s|#KexAlgorithms $SSH_KEX|KexAlgorithms $SSH_KEX|g" /etc/ssh/sshd_config
apt-get -yq install fail2ban vim-common apt-get -yq install fail2ban vim-common