From 3cf283dbe4976585f403dfcfbd01e5d5ec7d0f3d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Wed, 14 Jun 2017 18:14:39 +0100 Subject: [PATCH] Key lengths same as letsencrypt --- src/freedombone-addcert | 2 +- src/freedombone-app-ipfs | 2 +- src/freedombone-base-email | 2 +- src/freedombone-client | 2 +- src/freedombone-utils-ssh | 11 ++++++----- 5 files changed, 10 insertions(+), 9 deletions(-) diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 286e35e4..6d42c2a7 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -311,7 +311,7 @@ function add_cert_selfsigned { openssl req -x509 ${EXTENSIONS} -nodes -days 3650 -sha256 \ -subj "/O=$ORGANISATION/OU=$UNIT/C=$COUNTRY_CODE/ST=$AREA/L=$LOCATION/CN=$HOSTNAME" \ - -newkey rsa:4096 -keyout /etc/ssl/private/${CERTFILE}.key \ + -newkey rsa:2048 -keyout /etc/ssl/private/${CERTFILE}.key \ -out /etc/ssl/certs/${CERTFILE}.crt chmod 400 /etc/ssl/private/${CERTFILE}.key chmod 640 /etc/ssl/certs/${CERTFILE}.crt diff --git a/src/freedombone-app-ipfs b/src/freedombone-app-ipfs index 0f3ea5f5..d7ac4019 100755 --- a/src/freedombone-app-ipfs +++ b/src/freedombone-app-ipfs @@ -519,7 +519,7 @@ function install_ipfs_go { fi # initialise - su -c "$IPFS_PATH/ipfs init -b 4096" - $MY_USERNAME + su -c "$IPFS_PATH/ipfs init -b 2048" - $MY_USERNAME if [ ! -d /home/$MY_USERNAME/.ipfs ]; then echo "IPFS could not be initialised for user $MY_USERNAME" exit 7358 diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 05d5c81b..59381f51 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -1454,7 +1454,7 @@ function configure_imap_client_certs { echo 'serial = sslserial' >> /etc/ssl/dovecot-ca.cnf echo 'default_days = 3650' >> /etc/ssl/dovecot-ca.cnf echo 'default_md = sha256' >> /etc/ssl/dovecot-ca.cnf - echo 'default_bits = 4096' >> /etc/ssl/dovecot-ca.cnf + echo 'default_bits = 2048' >> /etc/ssl/dovecot-ca.cnf echo 'policy = dovecot-ca_policy' >> /etc/ssl/dovecot-ca.cnf echo 'x509_extensions = dovecot-ca_extensions' >> /etc/ssl/dovecot-ca.cnf echo '' >> /etc/ssl/dovecot-ca.cnf diff --git a/src/freedombone-client b/src/freedombone-client index b30508ed..6893872c 100755 --- a/src/freedombone-client +++ b/src/freedombone-client @@ -154,7 +154,7 @@ function configure_ssh_client { ssh-keygen -t ed25519 -o -a 100 fi if [ ! -f /home/$CURR_USER/.ssh/id_rsa ]; then - ssh-keygen -t rsa -b 4096 -o -a 100 + ssh-keygen -t rsa -b 2048 -o -a 100 fi ssh_remove_small_moduli diff --git a/src/freedombone-utils-ssh b/src/freedombone-utils-ssh index 4d5fdc7f..780d0ed7 100755 --- a/src/freedombone-utils-ssh +++ b/src/freedombone-utils-ssh @@ -46,12 +46,13 @@ function configure_ssh { sed -i 's/#PermitRootLogin no/PermitRootLogin no/g' /etc/ssh/sshd_config sed -i 's/X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config sed -i 's/#X11Forwarding no/X11Forwarding no/g' /etc/ssh/sshd_config - sed -i 's/ServerKeyBits.*/ServerKeyBits 4096/g' /etc/ssh/sshd_config - sed -i 's/#ServerKeyBits 4096/ServerKeyBits 4096/g' /etc/ssh/sshd_config + sed -i 's/ServerKeyBits.*/ServerKeyBits 2048/g' /etc/ssh/sshd_config + sed -i 's/#ServerKeyBits 2048/ServerKeyBits 2048/g' /etc/ssh/sshd_config sed -i 's/TCPKeepAlive.*/TCPKeepAlive no/g' /etc/ssh/sshd_config sed -i 's/#TCPKeepAlive no/TCPKeepAlive no/g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_dsa_key|#HostKey /etc/ssh/ssh_host_dsa_key|g' /etc/ssh/sshd_config sed -i 's|HostKey /etc/ssh/ssh_host_ecdsa_key|#HostKey /etc/ssh/ssh_host_ecdsa_key|g' /etc/ssh/sshd_config + sed -i 's|#HostKey /etc/ssh/ssh_host_ed25519_key|HostKey /etc/ssh/ssh_host_ed25519_key|g' /etc/ssh/sshd_config if ! grep -q 'DebianBanner' /etc/ssh/sshd_config; then echo 'DebianBanner no' >> /etc/ssh/sshd_config else @@ -126,9 +127,9 @@ function configure_ssh_client { if [ ! -f ~/.ssh/id_ed25519 ]; then ssh-keygen -t ed25519 -o -a 100 fi - if [ ! -f ~/.ssh/id_rsa ]; then - ssh-keygen -t rsa -b 4096 -o -a 100 - fi + #if [ ! -f ~/.ssh/id_rsa ]; then + # ssh-keygen -t rsa -b 2048 -o -a 100 + #fi function_check ssh_remove_small_moduli ssh_remove_small_moduli